Legal Risk Management Specialized Studies Certificate Program for UCI Extension, where she teaches for that program and the Contract Management Certificate Program. She has published articles on various business law matters, most recently for the National Contract Management Association’s Contract Management Magazine May 2015 issue, as well as for the National Center for State Courts and the Aerospace and Defense Forum. Every corporation and compliance practitioner faces a wide variety of risks. These include regulatory risks, legal risks, reputational risks, safety risks, environmental risks, and many other types of risks. We consider whether there is one process or approach to take to the over-arching concept of risk management or if the approach needs to be fined tuned by an organization. We discuss the Legal Risk Management Specialized Studies Certificate Program, including the program benefits and who should attend. We explore the approach to teaching risk management. We discuss some of her current initiatives on the study of and teaching of risk. In this episode, I discuss with Virginia Suveiu the theories of risk and the process of risk management.
Tag: compliance
SEC Chair Clayton Talks Compliance Costs. Will the new administration gut SOX and Dodd-Frank compliance requirements?
Top Ten International Anti-Corruption Developments for May 2017. Our topics include:
- FCPA Assistant Chief BJ Stieglitz has been selected for detail to UK Financial Enforcement Authorities. We discuss how a prosecutor works overseas, what this might mean for prosecutions going forward in the US and UK, and the relationship of the DOJ with its British counterparts.
- The DOJ has moved to terminate its DPA over Hewlett-Packard. We discuss what it means to have a DPA terminated and the DOJ’s role in this phase. We also consider the decision-making process if a DPA has to be extended due to continued or new conduct by a company under such an agreement.
- Finally, we consider some of the difficulties of the DOJ’s Challenges in Obtaining Foreign Evidence through a recent ruling in the Civil Forfeiture Case. On May 9, 2017, In the case of United States v. Prevezon Holdings Ltd., Southern District of New York Judge William H. Pauley III ruled that certain evidence obtained by prosecutors from foreign sources was admissible in a civil asset forfeiture case, notwithstanding that the documents lacked the requisite certifications under the Federal Rules of Evidence. We consider the process for getting information from overseas; why it takes so long, and what happens if it does not meet US evidentiary or even admissibility standards?
Click here to see a full copy of the firm’s Top Ten International Anti-Corruption Developments publication for May 2017. James Koukios returns to discuss MoFo’s Top Ten International Anti-Corruption Developments for May 2017.
Cease and Desist Order also covered former employee Jeannot Lorenz, and the SEC spelled out a bribery scheme facilitated by both a failure and override of company internal controls. The matter involved Halliburton’s work in Angola with the national oil company Sonangol, which had a local content requirement. The nefarious acts giving rise to the FCPA violation involved a third-party agent for Halliburton’s contracts with the state-owned enterprise. According to the SEC Press Release, this matter initially began in 2008 when officials at Sonangol, Angola’s state oil company, informed Halliburton management it had to partner with more local Angolan-owned businesses to satisfy local content regulations. The company was successful in meeting the requirement for the 2008 contracting period. However, when a new round of oil company projects came up for bid in 2009, Sonangol indicated, “Halliburton needed to partner with more local Angolan-owned businesses to satisfy content requirements.” Halliburton’s prior work on local content was deemed insufficient, and “Sonangol remained extremely dissatisfied” with the company’s efforts. Sonangol backed up this dissatisfaction with a potential threat to veto further work by Halliburton for Sonangol. Under this backdrop, the local business team moved forward with a lengthy effort to retain a local Angolan company (Angolan agent) owned by a former Halliburton employee who was a friend and neighbor of the Sonangol official who would ultimately approve the award of the business to Halliburton. In each of these attempts, the company bumped up against its internal controls around third parties, both on the sales side and through the supply chain. The first attempt to hire the Angolan agent was as a third-party sales agent, which under Halliburton parlance is called a “commercial agent.” In this initial attempt, internal control was held as the business folks abandoned their efforts to contract with the Angolan agent. The first attempt to hire the Angolan agent was rejected because the local Business Development (BD) team wanted to pay a percentage fee based, in part, upon work previously secured under the 2008 contract and not new work going forward. Additional fees would be paid on new business secured under the 2009 contract. This payment scheme for the Angolan agent was rejected as the company generally paid commercial agents for work they helped obtain and not work secured in the past. Further, the company was not seeking to increase its commercial agents during this time frame (Halliburton had entered into a Deferred Prosecution Agreement (DPA) for FCPA violations in December 2008 for the actions of its subsidiary KBR in Nigeria). Finally, “As outlined by Halliburton’s legal department, to retain the local Angolan company as a commercial agent, it would be required to undergo a lengthy due diligence and review process that included retaining outside U.S. legal counsel experienced in FCPA compliance to conduct interviews. Halliburton’s in-house counsel noted that “[t] he is undoubtedly a tortuous, painful administrative process, but given our company’s recent US Department of Justice/SEC settlement, the board of directors has mandated this high level of review.” In other words, the internal controls held and were not circumvented or overoverriddene Angolan agent was then moved from commercial agent status to supplier so the approval process would be easier. The proposed reason for this switch in designations was that the Angolan agent would provide “real estate maintenance, travel, and ground transportation services” to the company in Angola. However, the internal controls process around using a supplier also had rigor as they required a competitive bidding process which would take several months to complete. Over-riding this internal control, the local business team could contract with the Angolan agent for these services in September 2009 and increase the contract price without the Angolan agent going through the internal procurement controls. A second internal control overridden was the procurement requirement that the supplier procurement process begins with “an assessment of the critically or risk of a material or services”; not with a particular supplier and certainly not without “competitive bids or providing an adequate single source justification.” However, as the Order noted, the process was taken backward, with the Angolan agent selected and then “backed into a list of services it could provide.” Finally, a separate internal control required “contracts over $10,000 in countries with a high risk of corruption, such as Angola, to be reviewed and approved by a Tender Review Committee.” Inexplicably this internal control was also circumvented or overoverriddent. This arrangement was not deemed sufficient local content by Sonangol officials. After all of this and further negotiations, Halliburton entered into another agreement with the Angolan agent, where the company would lease commercial and residential real estate and then sublease the properties back to Halliburton at a substantial markup and also provide real estate transaction management consulting services (the “Real Estate” contract). This Real Estate contract also had to go through an internal control process. Initially, there were questions the company about the Real Estate contract as a single source for the procurement function, the upfront payment terms to the Angolan agent, the high costs, and the rationale for entering into subleases for properties that would cost less if leased directly from the landlord. Indeed, “One Finance & Accounting reviewer at headquarters noted that he could not think of any legitimate reason to pay the local Angolan company over $13 million under the Real Estate Transaction Management Agreement and that it would not have cost that much to run Halliburton’s entire real estate department in Angola.” Halliburton’s internal controls required that it had to be justified when the company used a single source. This justification would require a showing of preference for quality, technical, execution, or other reasons, none of which were demonstrated by the Angolan agent. Finally, if such a single source was used, the reasons had to be documented in Halliburton’s internal controls language “identified and justified.” The company documented none. Finally, as the internal controls were either circumvented or over-ridden, “As a consequence, internal audit was kept in the dark about the transactions, and its late 2010 yearly review did not examine them.” This was yet another internal control failure built on the previous failures noted above. So how many internal controls failures can you spot? Whatever the number, the lesson for the compliance practitioner is that you must do more than have internal controls. They must be followed and be effective. If you are doing business in high-risk regions, you have to test the controls and back up your testing by seeing if payments are being made in those regions. Perhaps the best concept would be Reaganian, trust but verify.
Three Key Takeaways
- Internal controls must be shown to be effective.
- Circumvention and management override of internal controls must be documented to pass muster.
- Internal controls must be tested, and that testing must be verified with an independent source of investigation.
Internal controls must be tested and verified to demonstrate effectiveness. For more information on improving your internal controls management process, visit this month’s sponsor Workiva at workiva.com.
Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls” (herein ‘the Illustrative Guide’), COSO laid out its views on “how to assess the effectiveness of its internal controls.” It went on to note, “An effective system of internal controls provides reasonable assurance of achievement of the entity’s objectives, relating to operations, reporting, and compliance.” Moreover, two over-arching requirements can only be met through such a structured post. First, each of the five components is present and functioning. Second, are the five components “operating together in an integrated approach.” One of the most critical components of the COSO Framework is that it sets internal control standards against those you can audit to assess the strength of your compliance with internal control. As the COSO 2013 Framework is designed to apply to a wider variety of corporate entities, your audit should be designed to test your internal controls. If you have a multi-country or business unit organization, you must determine how your internal compliance controls are interrelated up and down the organization. The Illustrative Guide also realizes that smaller companies may have less formal structures in place throughout the organization. Your auditing can and should reflect this business reality. Finally, if your company relies heavily on technology for your compliance function, you can leverage that technology to “support the ongoing assessment and evaluation” program going forward. The Illustrative Guide suggests using a four-pronged approach in your assessment. (1) Make an overall assessment of your company’s system of internal controls. This should include an analysis of “whether each of the components and relevant principles is present and functioning and the components are operating together in an integrated manner.” (2). There should be a component evaluation. Here you need to evaluate any deficiencies you may have more deeply and whether there are any compensating internal controls. (3) Assess whether each principle is present and functioning. As the COSO 2013 Framework does not prescribe “specific controls that must be selected, developed and deployed,” your task here is to look at the main characteristics of each principle, as further defined in the points of focus, and then determine if a deficiency exists and it so what is the severity of the deficiency. (4) Finally, you should summarize all your internal control deficiencies in a log, so they are addressed on a structured basis. Another way to think through the approach could be to consider “the controls to effect the principle” and would allow internal control deficiencies to be “identified along with an initial severity determination.” A Component Evaluation would “roll up the results of the component’s principal evaluations” and would allow a re-evaluation of the severity of any deficiency in the context of compensating controls. Lastly, an overall Effectiveness Assessment would examine whether the controls were “operating together in an integrated manner by evaluating any internal control deficiencies aggregate to a major deficiency.” This process would then lend itself to an ongoing evaluation. If business models, laws, regulations, or other situations changed, you could assess if your internal controls were up to the new situations or needed adjustment. The Illustrative Guide spent a fair amount of time discussing deficiencies. Initially, it defined ‘internal control deficiency’ as a “shortcoming in a component or components and relevant principle(s) that reduces the likelihood of an entity achieving its objectives.” It defined‘ major deficiency’ as an “internal control deficiency or combination of deficiencies that severely reduces the likelihood that an entity can achieve its objectives.” A major deficiency is a significant issue because “When a major deficiency exists, the organization cannot conclude that it has met the requirements for an effective internal control system.” Moreover, unlike deficiencies, “a major deficiency in one component cannot be mitigated to an acceptable level by the presence and functioning of another component.” Under a compliance regime, you may be faced with known or relevant criteria to classify any deficiency. For example, if written policies do not have, at a minimum, the categories of policies laid out in the FCPA 2012 Guidance, which states “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments,” also formulated in the Illustrative Guide, such a finding would preclude management from “concluding that the entity has met the requirements for effective internal controls by the Framework.” However, what steps should you take if there are no objective criteria, as laid out in the FCPA 2012 Guidance, evaluate your company’s compliance with internal controls? The Illustrative Guide says that a business’ senior management, with appropriate board oversight, “may establish objective criteria for evaluating internal control deficiencies and for how deficiencies should be reported to those responsible for achieving those objectives.” Together with appropriate auditing boundaries set by either established law, regulation, or standard, or through management exercising its judgment, you can then make a full determination of “whether each of the components and relevant principles is present and functioning and components are operating together, and ultimately in concluding on the effectiveness of the entity’s system of internal control.” The Illustrative Guide has a useful set of templates that can serve as the basis for your reporting results. They are specifically designed to “support an assessment of the effectiveness of a system of internal control and help document such an assessment.” The Document, Document, and Document feature are critical in any best practices anti-corruption or anti-bribery compliance program, whether based upon the FCPA, UK Bribery Act, or some other regulation. With the Illustrative Guide, COSO has given the compliance practitioner a handy road map to begin an analysis of your company’s internal compliance controls. When the SEC comes knocking, they will look for this type of evidence to evaluate if your company has met its obligations under the FCPA’s internal controls provisions. First are some general definitions that you need to consider in your evaluation. An internal compliance control must be both present and functioning. A control is present if the “components and relevant principles exist in the design and implementation of the system of [compliance] internal control to achieve the specified objective.” An internal compliance control functions if the “components and relevant principles continue to exist in the conduct of the system of [compliance] internal controls to achieve specified objectives.”
Three Key Takeaways:
- An effective internal controls system provides reasonable assurance of the entity’s objectives relating to operations, reporting, and compliance.
- There are two over-arching requirements for effective internal controls. First, each of the five components is present and functional. Second are the five components operating together in an integrated approach.
- You can use the Tem Hallmarks of an Effective Compliance Program for an anti-corruption compliance program as your guide to testing against.
For more information on improving your internal controls management process, visit this month’s sponsor Workiva at workiva.com. The COSO model can be used to structure your assessment of internal controls.
Show Notes for Everything Compliance-Episode 14
Topics from Matt:
- Trump Administration & FCPA enforcement— we have two declinations now; maybe a compare-and-contrast and speculation on what a tough Trump Admin enforcement WOULD look like;
- EU’s GDPR— Do EU regulators know what they want to do with the enforcement of this law; if they follow the lead of the anti-competition people whacking Google, it could be a big deal;
- Hui Chen’s departure from the Justice Department, both her public rebuke of Trump and the substance of how she believes her guidance has been misinterpreted; and
- Ethical leadership and the lack thereof; the menace of abusing perks and privilege, connecting my posts about Uber’s leaders and Chris Christie vacationing on a closed beach.
Topics from Jay:
- How do the Campaign Finance Laws mirror/or differ from the FCPA?
- Will the Russian Collusion Investigation reveal the ultimate FCPA violation?
- Regarding Walter Shaub’s departure from the Office of Governmental Ethics (OGE), does it matter? What is OGE supposed to do, and why did it work for the past 40+ years but fall on deaf ears with the Trump administration?
- Dovetailing with Matt’s question about a slow H1 for FCPA enforcement and in light of the just-released Gibson Dunn FCPA Mid-Year Report, does the current climate (and lack of vigorous enforcement) provide a perfect storm for companies to look the other way if they fall off the E&C wagon, or do we think that companies are still being vigilant despite a perception of decreased enforcement?
Rants follow this week’s episode. What do the two declinations in 2017 mean? The Everything Compliance panel of experts weighs in.
Monitoring Activities. The Framework Volume says, “Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Ongoing evaluations, built into business processes at different entity levels, provide timely information. Separate evaluations, conducted periodically, will vary in scope and frequency depending on the assessment of risks, effectiveness of ongoing evaluations, and other management considerations. Findings are evaluated against criteria established by regulators, recognized standard-setting bodies or management, and the board of directors. Deficiencies are communicated to management and the board of directors as appropriate.” However, as with all other components of the COSO Cube, Monitoring Activities are part of an inter-related whole and cannot be taken singularly. Rittenberg states this objective “applies to all five components of internal control. The nature of monitoring should fit the organization, its dependence on IT, and the effectiveness of monitoring providing relevant feedback on the other components, including the effectiveness of control activities.” For the CCO or compliance practitioner, Monitoring Activities have been growing in importance over the past few years and will continue to do so in the future. The Five Principles of an Effective Compliance Program, Principle 5, includes ongoing monitoring, reinforced in the 2013 COSO Framework. In an article in Corporate Compliance Insights (CCI), entitled “Implementing COSO’s 2013 Framework: 10 Questions that Need to be Answered”, Ron Kral explained that it is essential to “ensure that adequate controls are ‘present’ in support of all relevant principles and the components before launching into efforts to prove that the controls are “functioning.” Remember that all relevant principles must be present and functioning for a company to conclude that its ICFR is effective safely. Aligning the design of controls to the 17 principles to see any gaps early in the implementation process will help ensure adequate time to remediate and test for operating effectiveness.” The same is equally, if not more so, true for your company’s compliance function.
I. Objective-Monitoring Activities The Monitoring Activities objective consists of two principles. They are: Principle 16 – “The organization selects, develops and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.” Principle 17 – “The organization evaluates and communicates internal control deficiencies timely to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.”
Principle 16 – Ongoing Evaluation
Rittenberg stresses that this Principle requires that “Monitoring should include ongoing or ‘continuous monitoring’ whenever such monitoring is reliable, timely and cost-effective.” The reason is simple; they are complementary tools to test the effectiveness of your compliance regime. The same is true of internal controls. But this Principle expects your organization to oversee, monitor, and audit. For the CCO or compliance practitioner, you will need to consider several different areas and concepts going forward. A current risk assessment or other evaluation of business changes should be based on some baseline understanding of your underlying compliance risk. Whatever you select will need to be integrated with your ongoing business processes, adjusted as appropriate through ongoing risk assessments, and objectively evaluated.
Principle 17 – Evaluation And Communication Of Deficiencies
This final Principle speaks to deficiencies and their correction. Rittenberg notes it requires a determination of what might constitute a deficiency in your internal control, who in your company is responsible for “taking corrective action and whether there is evidence that the corrective action was taken.” If that does not sound like McNulty Maxim No. 3, What did you do when you found out about it? I do not know what it does. Therefore, under this Principle, the CCO will need to take timely and determined action to correct any deficiencies which might appear in your compliance regime. It will require you to assess results, communicate the weaknesses up the chain to the board or Compliance Committee, correct and then monitor the corrective action going forward. Adapting Kral, I urge that every key internal compliance control in support of the 17 Principles should “conclude upon by management in terms of their adequacy of design and operating efficiency.”
II. Discussion Monitoring Activities should bring together your entire compliance program and give you a sense of whether it is running correctly. Both ongoing monitoring and auditing are tools the CCO and compliance practitioner should use to support this objective. Near the end of his section on this objective, Rittenberg states, “Monitoring is a key component of the internal control framework because effective monitoring (a) recognizes the dynamics of change within an organization, and (b) provides the basis for corrective action on a timely basis.” I would add that it also allows you to evaluate the effectiveness of that corrective action. The most important thing is that all the controls need to be sustainable. You cannot just build one-off controls that allow you to do one period and not have a process in place that will help you through all the periods you need to cover. The controls cannot just be a one-and-done. Many companies will find that their initial approach is one-and-done. There must also be a mechanism for communicating controls that do not work or can be overridden. From there, you must be able to remediate your controls going forward. This will align with the compliance professional’s requirement to prevent, detect, and remediate.
Three Key Takeaways:
- Monitoring activities are interrelated with all other Principles and cannot be taken singularly.
- Monitoring activities helps to ensure that all controls are present and functioning.
- Monitoring Activities should bring together your entire compliance program and give you a sense of whether it is running correctly.
For more information on improving your internal controls management process, visit this month’s sponsor Workiva at workiva.com. Ongoing monitoring of your internal controls helps to endure they are sustainable and not overridden.
Best practices compliance program. The first in Hallmark No. 1 states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3, entitled “Oversight, Autonomy and Resources,” which says the Chief Compliance Officer (CCO) should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight of the effectiveness of a company’s compliance program. The DOJ Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided sufficient information to enable independent judgment?
The DOJ’s remarks drove home to me the absolute requirement for Board participation in any best practices or even effective anti-corruption compliance program. I believe that a Board must have a corporate compliance program in place and actively oversee that function.
Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask tough questions. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and the compliance function. The Board must ask hard questions and be fully informed of the company’s overall compliance strategy. Lawyers often speak to and advise Boards on their legal obligations and duties. If a Board’s oversight is part of effective financial controls under Sarbanes Oxley (SOX), that includes effective compliance controls. Failure to do either may result in something far worse than bad governance. It may directly lead to an FCPA violation and could even form the basis of an independent FCPA violation. A company must have a corporate compliance program in place and actively oversee that function. A failure to perform these functions may lead to independent liability of a Board for its failure to perform its allotted tasks in an effective compliance program. Internal controls work together with compliance policies and procedures and are interrelated control mechanisms. There are five general compliance internal controls for a Board or Board subcommittee role for compliance:
- Risk Assessment – A Board should assess the compliance risks associated with its business.
- Corporate Compliance Policy and Code of Conduct – A Board should have an overall governance document informing the company, its employees, stakeholders, and third parties of the conduct the company expects from an employee. If the company is global/multi-national, this document should be translated into the relevant languages as appropriate.
- Implementing Procedures – A Board should determine if the company has a written set of procedures that instructs employees on how to comply with the company’s compliance policy.
- Training – There are two levels of Board training. The first should be that the Board has a general understanding of what the FCPA is, and it should also understand its role in an effective compliance program.
- Monitor Compliance – A Board should independently test, assess and audit to determine if its compliance policies and procedures are a ‘living and breathing program’ and not just a paper tiger.
- There have been recent FCPA enforcement actions where the DOJ and SEC discussed the failure of internal controls as a basis for FCPA liability. With the questions about the Wal-Mart Board of Directors and their failure to act in the face of allegations of bribery and corruption in the company’s Mexico subsidiary, or contrasting failing even to be aware of the allegations, there may soon be an independent basis for an FCPA violation for a Board’s failure to perform its internal controls function in a best practices compliance program.
Three Key Takeaways:
- GTE compliance internal controls are low-hanging fruit. Pick them.
- Compliance with internal controls can be both detected and prevented controls.
- Good compliance with internal controls is good for business.
Board oversight of your compliance program can act as an internal control if properly documented. For more information on improving your internal controls management process, visit this month’s sponsor Workiva at workiva.com.
In this episode, I visit with James Gellert, CEO of RapidRatings, a company that uses a financial dialogue to determine third-party supplier health and viability. Gellert explains what supply chain resilience is and how examining your suppliers’ financial health can lead to a more financially efficient supply chain. We then discuss the company’s third-party risk management tools. We consider how a company might evaluate a potential purchaser, partner, or someone buying a part of a business. Finally, we have a lengthy discussion of how a corporate compliance function uses the health of a third party as a tool to determine third-party compliance risk.
For more information on RapidRatings, check out their website by clicking here.
Categories
This Week in FCPA-Episode 56
[tweet_box design=”default” url=”http://wp.me/p6DnMo-3kx” float=”none”]
When do Mike & Mike agree on anything? Find out on This Week in FCPA. [/tweet_box]
Jay Rosen can be reached:
Mobile (310) 729-6746
Toll Free (866)-201-0903
JRosen@affiliatedmonitors.com
Tom Fox can be reached:
Phone: 832-744-0264
Email: tfox@tfoxlaw.com]]>
