Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Internal Controls for Gifts, Travel and Entertainment

While many compliance practitioners believe that employee expense reports are a sufficient internal control of gifts because there are other ways in which a gift can be presented, other controls must be considered. Once your company policy on gifts has been finalized, the internal controls over expense reports fall into three primary areas:

  1. The expense report format, including what information it requires.
  2. Controls over the submitting employee and the preparation of the expense report.
  3. Controls to ensure the approvers do their review process properly.

Internal controls around gifts can be used in various ways in your best practices compliance program. They can certainly be used to detect an issue and perhaps even prevent an issue from becoming a full-blown FCPA violation; however, by using some of the techniques that Howell has suggested, you can move your compliance program to a proscriptive phase where you not only stop an issue from becoming a violation but through identification, you can move towards remediation as a part of your ongoing compliance efforts. The bottom line is that good internal controls make for good business processes; if you can move your compliance program’s internal controls forward, you can help make them a part of your financial controls and, thereby, have a better-run company. 

Three Key Takeaways:

  1. GTE compliance internal controls are low-hanging fruit. Pick them.
  2. Compliance with internal controls can be both detected and prevented controls.
  3. Good compliance with internal controls is good for business.

For more information on how to build out a best practices compliance program, including internal controls, check out The Compliance Handbook, 3rd edition.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Internal Controls for Third Parties

Bribery built into the fabric of Chinese healthcare system”, reporters Jamil Anderlini and Tom Mitchell wrote about the ‘nuts and bolts of how bribery occurs in the healthcare industry in China. The authors quoted Shaun Rein, a Shanghai-based consultant and author of “The End of Cheap China,” for the following “This is a systemic problem, and foreign pharmaceutical companies are in a conundrum. If they want to grow in China, they must give bribes. It’s not a choice because officials in the health ministry, hospital administrators, and doctors demand it.”

It would be reasonable to expect that internal controls over gifts would be designed to ensure that all gifts satisfy the required criteria, as defined and interpreted in Company policies. It should fall to a Compliance Officer to finalize and approve a definition of permissible and non-permissible gifts, travel, and entertainment, and internal controls will follow from such definition or criteria set by the company. These criteria would include the amount of the spend, localized down into increased risk, such as the higher risk recognized in China. Within this context, there are four general internal controls to consider. 

Three Key Takeaways:

  1. GSK in China continues to be an example of the lack of internal controls for an effective compliance program.
  2. General areas of review for internal compliance controls.
  3. Third parties are still at the highest risk of corruption-related issues.

For more information on how to build out a best practices compliance program, including internal controls, check out The Compliance Handbook, 3rd edition.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Assessing for Internal Controls in International Operations

How should you assess your internal controls regime for international operations? It is incumbent that you need to review as much information as you can to understand an entity’s financial and operational structure and how it is integrated with the corporate headquarters or the U.S. business unit’s financial and operational structure if the foreign operation is part of a U.S. business unit.

You could begin with the TI-CPI to garner a sense of the reputation of the country in which your business unit is located, as well as the CPI for all other countries in which the location either markets business or has current customers. Another area for inquiry or review is the scope of your foreign operations. Other areas of inquiry should include whether your company’s finance and accounting staff produce financial statements that are integrated into the parent’s financial statements, whether your international business locations utilize a local bank account for local sales receipts as well as funds transfers from the U.S. and whether the account has local check signers and whether dual signatures are required on the checks. You may also want to consider the extent to which disbursements are made in the local currency and whether there is a local petty cash fund.

As with many other areas around internal controls, it is important to consider the local DOA and whether it is consistent with your corporate DOA. Some of the considerations regarding the local DOA should extend to which corporate or U.S. business unit approvals are required for transactions initiated locally, such as 1) approval of vendor invoices; 2) disbursements of funds, including wire transfers; 3) execution of facilities leases; 4) execution of contracts with agents; and 5) approval of pricing and credit terms to customers and distributors. You should also review whether the local DOA provides appropriate SODs at the local business unit level.

These reviews, questions, inquiries, and analyses are designed to locate the pressure points involved in any company’s sales processes. This is because pressure is a key element of occupational fraud, and the risk of fraud, including corruption, increases as the pressure increases. Since corruption is viewed as a subset of fraud, it might be a good time to review the “fraud triangle,” which lays out a breeding ground for fraud in the corruption context.

 Three key takeaways:

1. You must understand your company’s financial and operational structure and how that structure outside the U.S. is integrated with the corporate headquarters.

2. Are your financial statements and reporting systems integrated?

3. Always consider the fraud triangle.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Internal Controls in International Locations

While a CCO should expect (or at least hope) that internal controls at locations outside the U.S. are of the same effectiveness as internal controls within U.S. business units and at the U.S. corporate office, unfortunately, that might not always be the case, it is often the case that corporate level internal controls are stronger than those in foreign business units. There may well be several reasons for this. First, the CFO may be paying closer attention to the corporate level internal controls, with the idea that the corporate level internal controls are the final “filter” to detect issues. This follows partly from the focus in most companies on the controls over financial reporting, which does not include all controls needed for compliance. A second reason is that many companies were built through acquisitions, resulting in many business units (both in and outside the U.S.) having completely different accounting, ERP, and internal control systems than the corporate office. There is often a tendency to leave acquired companies in the state where they were acquired rather than trying to integrate their controls and conform them to those of current business units. After all, the reason for the acquisition was the company’s profitability, and nobody wanted to be accused of negatively impacting profitability.

A third situation may exist at locations outside the U.S. with what began simply as a sales office and then expanded its scope of operations to become a business unit with its accounting and data processing functions. Unfortunately, it is not often a situation where there was a master plan for internal controls as the location’s scope grew. Processes are usually added and designed by the local personnel, which, in practice, means the country manager has total control over financial affairs and is not truly accountable to the corporate office. This can be particularly true if a country’s business unit’s profits continue. In such situations, there will rarely be any focus on effective preventive internal controls for compliance risk.

Where should a CCO begin in any of the above scenarios? The first step is to determine the extent of centralization or decentralization of relevant processes or, put another way, to what extent are relevant processes performed at the corporate offices? The second step for the CCO is to determine the possible universe of risks and to assess the risks to result in a priority of how attention will be focused. One useful approach is to perform a location risk assessment, whose purpose is to capture each location outside the U.S. where your company conducts business in one place and assess the compliance risks posed by the nature of operations at each location. Once the risks at each location have been properly categorized, you can prioritize your approach to dealing with the risks.

 Three key takeaways:

1. Modifying your internal controls can work to operationalize your compliance program more fully.

2. Check the effectiveness of your internal controls for your international locations.

3. Revisit your internal controls when a country or region experiences large growth or disruption.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Discipline and Rigor In Your Internal Controls

New York Times columnist David Brooks’ thoughts on building and maintaining order inform the discussion on rigor in your internal controls. In internal controls, I believe it is incumbent to consider not only the most obvious risk areas for your internal controls but also the universe of potential transactions within a company’s operations. There is a clear need for rigor in your internal controls protocols. Adherence to that rigor can increase operationalization around the internal controls a company should consider, including gifts, travel, and entertainment expenses. Brooks said, “Building and maintaining order … requires toughness of mind and rigid discipline to serve your own work properly.” By having the rigor to institute and enforce the types of internal controls identified, you can go a long way toward detecting and, more importantly, preventing an FCPA violation from occurring.

Some of the key areas of Internal Control focus should be:

·       The Delegation of Authority (DOA)

Petty cash disbursements

·       Travel

·       P-Cards

·       Employee Expense Reports

·       Corporate checks and wire transfers, such as check requests, purchase orders, or vendor invoices.

·       Gifts and business entertainment

Three key takeaways:

1. You must maintain rigor around your internal controls.

2. Controls against fraud can also help to prevent corruption.

3. Building and maintaining good internal controls requires rigor.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – What Are Internal Controls?

What specifically are internal controls in a compliance program? Internal controls are not only the foundation of a company but are also the foundation of any effective anti-corruption compliance program. Internal controls expert Joe Howell has said that internal controls are systematic measures, such as reviews, checks and balances, methods, and procedures instituted by an organization that performs several different functions. Howell also notes that for compliance purposes, controls are those measures specifically to provide reasonable assurance any assets or resources of a company cannot be used to pay a bribe. This definition includes the diversion of company assets, such as by unauthorized sales discounts or receivables write-offs, as well as the distribution of assets.

Three key takeaways:

  1. Effective internal controls are required under the FCPA.
  2. Internal controls are a critical part of any best practices compliance program.
  3. There are multiple FCPA enforcement actions that demonstrate the enforcement spotlight on internal controls.
Categories
Creativity and Compliance

Changing the Ethics & Compliance Brand with Yum!

Where does creativity fit into compliance? In more places than you think. Problem-solving, accountability, communication, and connection – all take creativity. Join Tom Fox and Ronnie Feldman on Creativity and Compliance, part of the award-winning Compliance Podcast Network.

Ronnie’s company, Learnings, and Entertainment utilizes people’s entertainment devices to consume information in their everyday, non-work lives and apply it to important topics around compliance and ethics. It is not only about being funny. It is about changing the tone of your compliance communications and messaging to make your compliance program, policies, and resources more accessible.

In this episode, Tom and Ronnie visit with David Mindell, Associate General Counsel, Global Compliance at Yum! Brands. We discussed the compliance program rebranding that Ronnie and his creative team at Learnings & Entertainment helped David lead. They rebranded the compliance program name, created a new logo, and even created a jingle for compliance.

Highlights include:

  • Overview of Yum! E&C program.
  • Changing the Ethics & Compliance Brand within Yum!
  • Putting a fresh face on the E&C program.
  • Rebranding with a new name, TASTE – Trust, Accountability, Support, Togetherness, Ethics.
  • Have a good TASTE! TASTER’s CHOICE  TRAVELING WITH TASTE  THESE ARE THE DAYS OF OUR FRIES

Resources:

Categories
Everything Compliance

Everything Compliance – Episode 110, The Bayeux Tapestry Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. Everything Compliance has been honored by W3 as the top talk show in podcasting. In this episode, we have the quintet of Jay Rosen, Jonathan Armstrong, Jonathan Marks, Tom Fox, and Matt Kelly, who discuss a potpourri of issues. We conclude with our fan-fav Shout Outs and Rants section.

  1. Matt Kelly at the SEC enforcement action against McDonald’s for giving disgraced former President Steve Easterbrook a severance package without explaining its reasons. He rants about the Department of Justice CCO certification requirement for Danske Bank.
  1. Jonathan Marks reviews the Fraud Pentagon and explains the additions of arrogance and convenience to the Fraud Pentagon. He Rants about the recent FAA failure, which crippled the US airline industry.
  1. Tom Fox has his first dual shout-out. His first shout-out is to US District Judge Middleton for sanctioning Donald Trump and his lawyer, jointly and severally, for $938,000 and the recently deceased musician David Crosby.
  1. Jonathan Armstrong looks at the NIS II Directive. He rants about the Tory proposed law against publicizing small boats that would make showing or even talking about the Bayeux Tapestry illegal.
  1. Jay Rosen looks at when and how is a compliance program ‘good enough.’ He shouts out to the NFL for the playoffs and for getting us the best four teams in the final four.

The members of Everything Compliance are:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
  • Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu
  • Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com
  • Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com
  • Jonathan Marks is Partner, Firm Practice Leader – Global Forensic, Compliance & Integrity Services at Baker Tilly. Marks can be reached at marks@bakertilly.com

The host and producer, ranter (and sometime panelist) of Everything Compliance is Tom Fox, the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Compliance Into the Weeds

Update to the Corporate Enforcement Policy

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more. In this episode, Matt and I deep dive into the recent Kenneth Polite speech announcing changes to the Corporate Enforcement Policy.

Some of the highlights include:

·      What are the policy reasons for the change?

·      Real credit is now being given for effective compliance programs.

·      What about self-disclosure?

·      What is the new definition of an effective compliance program?

·      Is the DOJ trying to avoid 5th Amendment concerns? Will it work?

·      New percentage discounts and what they mean?

·      Why does Matt have more questions?

 Resources

Tom cited in CCI

Matt Kelly in Radical Compliance

Categories
Blog

Operationalizing Compliance: Part 1 – Compliance Program Effectiveness

Welcome to a special five-part podcast series on Operationalizing Your Compliance Program, sponsored by Broadcat LLC. Over this series, I visit with Jennifer May, Director of Compliance Advisory; Taylor Edwards,  Director of Sales; Xinia Pirkey, Design Manager; Alex Klingelberger, Chief Executive Officer (CEO) and Jaycee Dempsey, Director of Customer Success. We consider a variety of ways to more fully operationalize your compliance regime, including the design and effectiveness of your communications, why the operationalization of compliance is a team sport, why simply data is not the answer and how to avoid being overwhelmed. In Part 1, I am joined by Jennifer May to consider what is compliance program effectiveness.

We began with one of the most well-worn words in compliance that still challenges compliance professionals, that being ‘effectiveness’. May said that it is not about getting a hundred percent completion on some sort of training module, which unfortunately in many ways has become the benchmark or the metric used. Instead, it is about getting information to individuals so you can get the right outcomes. Effectiveness is not represented by clicks but rather it is about outcomes.

You should start by identifying your highest risk activities. Begin by asking questions, which might include “Are you having good (or bad) outcomes when it comes to those risky activities? And if you’re not, why are you not? Do your employees understand what it is that they are supposed to be doing and when they are supposed to be doing it? What are those behaviors and the outcomes that we want to change or need to change to get to the appropriate outcomes?”

By asking such questions and delivering training and communications on those topics and areas, you begin to see a shift in people. It is not about a click; the result is compliant behavior. Shifting the focus and conversation to what those outcomes are allows you to start thinking about training in a different way and you can start to see how effectiveness can begin to be impacted by solid training that focuses on outcomes.

May analogized it to a closed-book or open-book test. She does not believe employees should think of compliance as a “closed-book test.” Compliant behavior is not something that you should keep behind a curtain. Your information should be out there and available to any employee who needs it in the moment that they need it. If there is a risk to manage; that is when they will need it. But if your employees need such information “the next time and the next time, and every time subsequent to that, then that’s okay too. There’s no reason why keeping that compliance information hidden or keeping it locked away and making them remember it is going to make them more effective or, more appropriately, compliant in their behaviors. Providing that information upfront and always when they need it, is really the key.”

Obviously, compliance folks cannot be everywhere all at once. Your compliance function may be a single person or a small team. Further, they cannot morph themselves into covering every single risk and every single moment of the organization every time. That is why the closed-book test does not do them any good as they cannot “be standing over someone’s shoulder every time talking about why then need to do something, what they need to do and how they need to do it.” Keep an open book approach and make compliance information openly available whenever employees need it.

We concluded with a few thoughts on credibility for your compliance program, which May believes is a very important concept for compliance. and had an interesting take on that issue. She said that credibility “honors employees as professionals in the work that they are doing.” This ties into “being open about the resources that are available, encouraging them to use them, encouraging them to find them, and perhaps, most importantly, encouraging them to reach out when they have a question.” May sees all this as a part of that credibility. This leads to engagement on a level which is about what they do and demonstrating that you, as the compliance professional, are there to support them.

Join us in Part 2 where we look at program design.

Resources

For more information, check out Broadcat here.