Categories
Blog

Day 12 of One Month to More Effective Internal Controls-Board Oversight as an Internal Control

Best practices compliance program. The first in Hallmark No. 1 states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3, entitled “Oversight, Autonomy and Resources,” which says the Chief Compliance Officer (CCO) should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight of the effectiveness of a company’s compliance program. The DOJ Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided sufficient information to enable independent judgment?

The DOJ’s remarks drove home to me the absolute requirement for Board participation in any best practices or even effective anti-corruption compliance program. I believe that a Board must have a corporate compliance program in place and actively oversee that function.

Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask tough questions. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and the compliance function. The Board must ask hard questions and be fully informed of the company’s overall compliance strategy. Lawyers often speak to and advise Boards on their legal obligations and duties. If a Board’s oversight is part of effective financial controls under Sarbanes Oxley (SOX), that includes effective compliance controls. Failure to do either may result in something far worse than bad governance. It may directly lead to an FCPA violation and could even form the basis of an independent FCPA violation. A company must have a corporate compliance program in place and actively oversee that function. A failure to perform these functions may lead to independent liability of a Board for its failure to perform its allotted tasks in an effective compliance program. Internal controls work together with compliance policies and procedures and are interrelated control mechanisms. There are five general compliance internal controls for a Board or Board subcommittee role for compliance:

  1. Risk Assessment – A Board should assess the compliance risks associated with its business.
  2. Corporate Compliance Policy and Code of Conduct – A Board should have an overall governance document informing the company, its employees, stakeholders, and third parties of the conduct the company expects from an employee. If the company is global/multi-national, this document should be translated into the relevant languages as appropriate.
  3. Implementing Procedures – A Board should determine if the company has a written set of procedures that instructs employees on how to comply with the company’s compliance policy.
  4. Training – There are two levels of Board training. The first should be that the Board has a general understanding of what the FCPA is, and it should also understand its role in an effective compliance program.
  5. Monitor Compliance – A Board should independently test, assess and audit to determine if its compliance policies and procedures are a ‘living and breathing program’ and not just a paper tiger.
  6. There have been recent FCPA enforcement actions where the DOJ and SEC discussed the failure of internal controls as a basis for FCPA liability. With the questions about the Wal-Mart Board of Directors and their failure to act in the face of allegations of bribery and corruption in the company’s Mexico subsidiary, or contrasting failing even to be aware of the allegations, there may soon be an independent basis for an FCPA violation for a Board’s failure to perform its internal controls function in a best practices compliance program. 

Three Key Takeaways:

  1. GTE compliance internal controls are low-hanging fruit. Pick them.
  2. Compliance with internal controls can be both detected and prevented controls.
  3. Good compliance with internal controls is good for business.

Board oversight of your compliance program can act as an internal control if properly documented. For more information on improving your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

Categories
FCPA Compliance Report

FCPA Compliance Report – Episode 337 – James Gellert on Assessing 3rd Party Financial Health for Compliance

In this episode, I visit with James Gellert, CEO of RapidRatings, a company that uses a financial dialogue to determine third-party supplier health and viability. Gellert explains what supply chain resilience is and how examining your suppliers’ financial health can lead to a more financially efficient supply chain. We then discuss the company’s third-party risk management tools. We consider how a company might evaluate a potential purchaser, partner, or someone buying a part of a business. Finally, we have a lengthy discussion of how a corporate compliance function uses the health of a third party as a tool to determine third-party compliance risk. 

For more information on RapidRatings, check out their website by clicking here.

Categories
This Week in FCPA

This Week in FCPA-Episode 56

  • The Kokesh case at the US Supreme Court is significant for SEC enforcement of the FCPA around profit disgorgement. For what it means to the compliance practitioner, see Tom’s piece in the FCPA Compliance & Ethics Blog. For a legal review of the decision, see Miller & Chevalier client alert authored by Saskia Zandieh. Marc Bohn considered the case in the FCPA Blog. Marc and I discuss the case on the FCPA Compliance Report, Episode 332.
  • Trevor McFadden to leave the DOJ for federal bench. See article by Matt Kelly in Radical Compliance. Hui Chen’s contract not to be renewed, her position is posted for job applicants. Apply for the position here. Andrew Weissman leaves as head of the Fraud Section to go Special Prosecutor’s staff.
  • Former PetroTiger General Counsel Gregory Weismann is banned from SEC practice. See article in the FCPA Blog.
  • Matthew Stephenson considers what a Wal-Mart settlement might look like. See his article in the Global Anti-Corruption Blog.
  • The federal judge who sentenced Samuel Mebiame, the bag man for Och-Ziff; criticized the DOJ for its lack of prosecution of any individuals from the company. See article by Sam Rubenfeld in WSJ Risk and Compliance Report.
  • Jay previews his weekend report.
  • Tom continues to talk about the release of his new book 2016 – The Year in Corporate FCPA Enforcement. For more information and to purchase, click here.
  •  
    [tweet_box design=”default” url=”http://wp.me/p6DnMo-3kx” float=”none”]
    When do Mike & Mike agree on anything? Find out on This Week in FCPA. [/tweet_box]
    Jay Rosen can be reached:
    Mobile (310) 729-6746
    Toll Free (866)-201-0903
    JRosen@affiliatedmonitors.com
    Tom Fox can be reached:
    Phone: 832-744-0264
    Email: tfox@tfoxlaw.com]]>

    Categories
    This Week in FCPA

    This Week in FCPA-Episode 46, the On the Rode to Prague Edition

  • Why powerful people fail to stop bad behavior by their underlings. Click here for the article.
  • Some policy management lesson, courtesy United Airlines. Click here for Matt Kelly’s article on Radical Compliance.
  • Why you shouldn’t linger too long in the wrong compliance position. See Julie DiMauro’s blog post on the FCPA Blog.
  • Bribe recipient in the Gerald and Patricia Green FCPA case gets 50 years in prison. See article in the FCPA Blog.
  • Using data to operationalize your compliance program. Read Tom’s blog post, by clicking here.
  • What the New York state Department of Financial Services new regulation on cybersecurity for financial services companies means for compliance officers. See Tom’s blog post by clicking here.
  • Jay previews his weekend report.
  • Jay Rosen new contact information:
    Jay Rosen, CCEP
    Vice President, Business Development
    Monitoring Specialist
    Affiliated Monitors, Inc.
    Mobile (310) 729-6746
    Toll Free (866)-201-0903
    JRosen@affiliatedmonitors.com
    [tweet_box design=”default” url=”http://wp.me/p6DnMo-3aD” float=”none”]How can the use of data help to operationalize your compliance program?[/tweet_box]]]>

    Categories
    Compliance Into the Weeds

    Compliance into the Weeds-Episode 33, enhancing culture

    Great Speech About Improving Corporate Culture“.]]>

    Categories
    Compliance Into the Weeds

    Day 18 of One Month to Operationalizing Your Compliance Program-Through Management of Third Party Relationships

    Management of Relationships – How has the company considered and analyzed the third party’s incentive model against compliance risks? How has the company monitored the third parties in question? How has the company trained the relationship managers about what the compliance risks are and how to manage them? How has the company incentivized compliance and ethical behavior by third parties?
    If you do not manage the relationship it can all go downhill very quickly and you might find yourself with a potential FCPA violation. Now the DOJ has explicitly adopted this approach as a key determination of whether you have operationalized your compliance program. There are several different ways that you should manage your post-contract relationship.
    Relationship Manager
    There should be a Relationship Manager for every third party which the company does business with through the sales chain. The Relationship Manager should be a business unit employee who is responsible for monitoring, maintaining and continuously evaluating the relationship between your company and the third party. Some of the duties of the Relationship Manager may include:

    • Point of contact with the Third Party for all compliance issues;
    • Maintaining periodic contact with the Third Party;
    • Meeting annually with the Third Party to review its satisfaction of all company compliance obligations;
    • Submitting annual reports summarizing services provided by the Third Party;
    • Assisting the company’s compliance function with any issues with respect to the Third Party.

    The Relationship Manager can be the Business Sponsor who prepared the Business Rationale discussed on Day 17. By using the Business Sponsor as the Relationship Manager, your company will further operationalize compliance by continuing to have the business unit lead the front-line relationship, communications and contact with the third party. As noted compliance commentator Scott Moritz has said, “This puts the onus on each stakeholder.”
    Compliance Professional
    Just as a company needs a subject matter expert (SME) in anti-bribery compliance to be able to work with the business folks and answer the usual questions that come up in the day-to-day routine of doing business internationally, third parties also need such a resource. A third party may not be large enough to have its own compliance staff so any company using third party representatives should provide a dedicated resource to third parties. This will not create a conflict of interest nor are other legal impediments to providing such services. They can also include anti-corruption training for the third party, either through onsite or remote mechanisms. The compliance practitioner should work closely with the relationship manager to provide advice, training and communications to the third party.
    Third Party Oversight Committee
    A Third Party Oversight Committee further operationalizes compliance. It review all documents relating the full panoply of a third party’s relationship with a company. It can be a formal structure or some other type of group but the key is to have the senior management put a ‘second set of eyes’ on any third party who might represent a company on the sales side. In addition to the basic concept of process validation of your management of third parties, as third parties are recognized as the highest risk in anti-corruption compliance, this is a manner to deliver additional management of that risk.
    After the commercial relationship has begun the Third Party Oversight Committee should monitor the third party relationship on no less than an annual basis.  This annual audit should include a review of remedial due diligence investigations and evaluation of any new or supplement risk associated with any negative information discovered from a review of financial audit reports on the third party. The Third Party Oversight Committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance.  In addition to the above remedial review, the Third Party Oversight Committee should review all payments requested by the third party to assure such payment are within the company guidelines and are warranted by the contractual relationship with the third party. Lastly, the Third Party Oversight Committee should review any request to provide the third party any type of non-monetary compensation.
    Audit
    A key tool in operationalizing the relationship with a third party post-contract is auditing the relationship. You should secured audit rights, as that is an important clause in any compliance terms and conditions. Your audit should be a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which your compliance terms and conditions are followed. Noted fraud examiner expert Tracy Coenen described the process as one to (1) capture the data; (2) analyze the data; and (3) report on the data, which is also appropriate for a compliance audit. As a base line, any audit of a third party include, at a minimum, a review of the following:

    1. the effectiveness of existing compliance programs and codes of conduct;
    2. the origin and legitimacy of any funds paid to Company;
    3. books, records and accounts, or those of any of its subsidiaries, joint ventures or affiliates, related to work performed for, or services or equipment provided to, Company;
    4. all disbursements made for or on behalf of Company; and
    5. all funds received from Company in connection with work performed for, or services or equipment provided to, Company.

    If you want to engage in a deeper dive you might consider evaluation of some of the following areas:

    • Review of contracts with third parties to confirm that the appropriate FCPA compliance terms and conditions are in place.
    • Determine that actual due diligence took place on the third party.
    • Review FCPA compliance training program; both the substance of the program and attendance records.
    • Does the third party have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained? Review any reports of compliance violations or issues that arose through anonymous reporting, hotline or any other reporting mechanism.
    • Does the third party have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
    • Review employee expense reports for employees in high-risk positions or high-risk countries.
    • Testing for gifts, travel and entertainment that were provided to, or for, foreign governmental officials.
    • Review the overall structure of the third party’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report? How is the third party’s compliance program designed to identify risks and what has been the result of any so identified?
    • Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party.
    • With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances.

    Three Key Takeaways

    1. Management of the third party relationship is the key step in determining the effectiveness of your compliance program in this risk area.
    2. By using non-compliance functions, such as the Business Sponsor or Relationship Manager you more fully operationalize your compliance program.
    3. Never forget to put a second set of eyes on all third party relationships.

    This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
    [tweet_box design=”default” url=”http://wp.me/p6DnMo-37H” float=”none”]Management of 3rd parties is where the rubber meets the road in operationalizing your compliance program.[/tweet_box]]]>

    Categories
    Compliance Into the Weeds

    Compliance into the Weeds-Episode 28

    Microsoft Cybersecurity Tool May Prompt Compliance” as a starting point to consider the Big Brother implications, two-step security features, AI issues and all of this ties directly into the corporate compliance function.
    [tweet_box design=”default” url=”http://wp.me/p6DnMo-33j” float=”none”]Microsoft’s Secure Score paves the way for better and more efficient compliance.[/tweet_box]]]>

    Categories
    Everything Compliance

    This Week in FCPA-Episode 38, the M&M Edition

    Show Notes for Episode 38, for the week ending February 3, the M&M edition:

    1. January a month for the FCPA record books. See article in the FCPA Blog.
    2. Are hunting trips a FCPA violation? How about in Sweden? See article in by Tom Fox in Compliance Week.
    3. VW update-what the former CEO knew and when did he know it and CCO ‘departs’. What does it all mean? See Tom Fox articles in Compliance Week on the former CEO and the departure of the CCO.
    4. New Tom Fox series on One Month to a Better Board, FCPA Compliance Report.
    5. Everything Compliance-Episode 6 is out. It is dedicated exclusively to Rolls-Royce.
    6. Jay Rosen Weekend Report preview.
    7. Super Bowl predictions.

    [tweet_box design=”default” url=”http://wp.me/p6DnMo-31q” float=”none”]What were the week’s top FCPA, compliance and ethics stories? Check out This Week in FCPA to find out. [/tweet_box]]]>

    Categories
    This Week in FCPA

    This Week in FCPA-Episode 35

    th edition:

    1. Hernandez and Beech FCPA guilty pleas. Hernandez Criminal Information, Beech Criminal Information.
    2. VW guilty plea in emissions-testing scandal. Link to article in New York Times.
    3. VW executive Oliver Schmidt arrested in US. See article on FCPA Compliance and Ethics Blog.
    4. Zimmer Bio-Met in follow-up FCPA enforcement action. See article on FCPA Blog.
    5. Mondelez FCPA enforcement action. See SEC Cease and Desist Order and article on FCPA Compliance and Ethics Blog.
    6. Supreme Court to take up 5 year statute of limitations for profit disgorgement under Securities Act, which applies to FCPA enforcement actions brought by SEC. Article in Law360.
    7. NFL Playoff update on Patriots, Cowboys and Texans.

    [tweet_box design=”default” url=”http://wp.me/p6DnMo-2XB” float=”none”]What were the FCPA matters, issues and lessons from the week ending January 13, 2017? Check out This Week in FCPA.[/tweet_box]]]>

    Categories
    This Week in FCPA

    This Week in FCPA-Episode 34, the Invisible Hand Edition

    In this episode Jay Rosen and I take a dive into the General Cable FCPA enforcement action, consider the ‘Invisible Hand’ of  Justice Department Compliance Counsel Hui Chen and greater regulatory enforcement, corporate response and innovation. We explain how these three factors combine in an ‘Invisible Hand’ to form a continuous improvement loop of compliance program innovation. It leads developments from cutting edge to best practices to becoming a routine part of an effective compliance program. We discuss the upcoming NFL divisional round of playoffs and conclude with Jay previewing the Jay Rosen Weekend Report. For more information on the General Cable FCPA enforcement action, check out my three-part blog post series:
    Part I-the Bribery Schemes
    Part II-the Comeback
    Part III-the Denouement
    [tweet_box design=”default” url=”http://wp.me/p6DnMo-2W9″ float=”none”]How does the invisible hand impact continuous improvement of compliance programs?[/tweet_box]]]>