Tag: DOJ

Categories
Blog

The SAP FCPA Enforcement Action-Part 2: The Box Score of Corruption

We continue our exploration of the Foreign Corrupt Practices Act (FCPA) enforcement involving the German software company, SAP. The company agreed to pay the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) approximately $222 million in penalties and disgorgement. SAP also entered into a three-year deferred prosecution agreement (DPA) with the Department of Justice imposing a $118.8 million criminal penalty and an administrative forfeiture of $103.4 million. Today we look at SAP’s compliance program requirements for third parties, the Box Score of corruption, the corrupt agents and the bribery schemes used across the globe by SAP.

The Box Score

The breadth and scope of SAP’s illegal conduct was simply stunning, literally running across the globe. For those not keeping scoring at home, I put together a Box Score of the location/entity bribed, the amount of the bribe (where reported) and the benefit obtained by SAP. Once again, it was simply stunning.

Location and Entity Where Bribe Paid Amount of Bribe Revenue Generated
South Africa-Transnet $562,215 $4.4MM
South Africa-Transnet $1MM $6.58MM
South Africa- City of Johannesburg $120K $13.16MM
South Africa-Eskom $5.18MM $28.58MM
South Africa-Dept. Water and Sanitation (DWS) $527,460 $35.4MM
Malawi Not reported $1.1MM
Tanzania-Ports Authority

 

 Not reported $828K
Ghana National Petroleum Corporation

 

 $400K $1.20MM
Indonesian Ministry of Communication and Information Technology

 

 $67,380 $268,135

 
Indonesian Ministry of Maritime Affairs and Fisheries

 

 App. $5000 $80,500
Indonesia- PT Pertamina

 

 Not reported $13K
Indonesia- Pemda DKI

 

 Not reported $383K
Indonesia- PT Angkasa Pura I

 

 Not reported $1.09MM
Indonesia- PT Angkasa Pura II

 

 Not reported $2.53MM
Azerbaijan- State Oil Company

 

 $3000 $1.6MM
Totals Reported in Settlement Docs-$7.8 Reported by DOJ-$103,369,765

SAP Policies and Procedures

SAP used third parties, monikered as Business Development Partners (“BDPs”), which were eligible to earn commissions for SAP sales on which they assisted. Moreover, as noted in the SEC Order, “SAP’s internal policies and procedures for working with third parties required employees to conduct due diligence to assess risk and ensure: (1) That a third party had no relations (as a family member) to the SAP customer or a potential customer, and (2) That the third party was not a government official, government employee, political party official or candidate, or officer or employee of any public international organization or an immediate family member of any of these. In addition, with respect to BDPs, all sales commission contracts had to be in writing and clearly define the services to be provided and the related business and payment terms.”

SAP’s internal controls went on to require its subsidiaries and employees were “to use a model agreement that included standard commission rates and to follow a standardized internal approval process, which required the involvement and approval of the local legal department or compliance officer, the subsidiary’s local managing director, and its local chief financial officer. In cases where a BDP agreement required non-standard terms, regional management had to provide additional approvals. The policy documents explicitly state that they were put into place to ensure that no relationship with a third party would be used to inappropriately influence a business decision or pay bribes to government officials.”

The Corrupt Agents

In the corruption involving the South African entity Transnet, the SEC Order noted that “SA Intermediary 1 ever being present at meetings with Transnet, nor does SA Intermediary 1 appear to have a credible IT background or experience.” Regarding another corruption agent call SA Intermediary 2, it stated, “SAP South Africa paid approximately $1 million in commission fees to SA Intermediary 2, a South African 3D printing firm despite the fact that it provided no tangible services to SAP. SAP South Africa and its employees knew about the red flags relating to SA Intermediary 2’s ownership. The former director of SA Intermediary 2 admitted that the entity had “no expertise” or skills to provide meaningful services on the Transnet deal and also said he had no knowledge of SA Intermediary 2 providing any services. During an SAP-initiated audit of SA Intermediary 2, the third party failed to provide evidence of any services performed.” Indeed the DOJ Information noted that in a 2017 review by SAP in 2017, “revealed that Intermediary 2 had no financial statements (audited or unaudited), had not filed any returns for employee tax purposes, and found no signs of activity at Intermediary 2’s claimed business address.

When it came to Eskom, the SEC Order noted, “SA Intermediary 3, a purported IT consultant on the Eskom project. SA Intermediary 3, however, never performed any services. Instead, SAP South Africa’s Managing Director instructed SAP South Africa employees to perform the consulting work in SA Intermediary 3’s stead and still paid the entity a total of $1.6 million. Notably, officials at Eskom approved these payments despite SA Intermediary 3’s absence on the project. SAP also retained SA Intermediary 2 to perform vague services on Eskom contracts dated March, 2016 and November 2016 that, as a 3D printing company, SA Intermediary 2 was unqualified to perform. Regardless, SAP South Africa paid SA Intermediary 2 a total of $5.18 million in consulting fees.”

The Bribery Schemes

The thing which struck me about the bribery schemes was that they were so pedestrian, yet they permeated SAP from 2014-2022. Yet there very pedestrian nature serves not only as a warning for companies and compliance professionals but also as a road map for compliance program monitoring, improvement and remediation. From the very start of the corruption in South Africa, SAP employees began to avoid, evade and violation SAP internal compliance requirements.

  1. South Africa

In South Africa, in addition to the bribery schemes noted in the section above, where payments were made for non-existence work or services billed by the corrupt agents, “bank records indicate that shortly after the deal closed, SA Intermediary 1 paid $562,215, characterized as “loans,” to an individual known to be involved in making bribe payments.” In SAP’s contract with the City of Johannesburg, the SEC Order noted, “In addition to these cash payments, SAP South Africa paid for trips to New York for government officials in May and September 2015, including the officials’ meals and golf outings on the trips.” The DOJ Information reported that these payments were recorded in SAP books and records as ‘sales commission payments.’ Finally, in the contract involving the DWS, the SEC Order stated, “The local business partners were paid at a 14.9% commission rate, the maximum allowed under SAP policy without approval from the Board. SAP South Africa employees engaged both BDPs at the highest commission percentage allowed, staying under the 15% commission rate so as to avoid the need to obtain higher level approvals, and authorized the payment despite the local partners’ failure to meet deliverables relating to the DWS transactions.” The DOJ Information further noted that the bribe payment was routed through a second corrupt agent, in an attempt to conceal the criminal nature of the bribe.

2. Indonesia

The SEC Order noted that in “Indonesia, Intermediary 1 used fake training invoices to issue payments that created slush funds to pay bribes. Employees at Indonesia Intermediary 1 created shell companies to generate these false expenses. Some of the false invoices generated kickback payments to employees at the Indonesia Intermediary 1, some paid for customer excursions, and others generated cash payments to government officials at state-owned entities.” Next, “Indonesia Intermediary 1 employees, paid for shopping excursions and dining for a BP3TI official and his wife during a June 2018 trip to New York City, in route to attending the 2018 SAP Sapphire Conference in Orlando, Florida.” Additionally travel expenses, gifts, meals and entertainment was paid for by the Indonesian Intermediaries.

3. Azerbaijan

Lastly, in Azerbaijan, a mid-level SAP employee provided improper gifts in December 2021 and January 2022 to multiple SOCAR officials in an effort to close the deal. The SEC Order stated, “Several SOCAR officials received gifts totaling approximately $3,000, well above SAP’s gift limit of $30. Text messages indicate that the employee was rewarding senior officials who supported, and were directly responsible for, approving the pending sale. The employee also prepared a fake Act of Acceptance between SOCAR and an SAP Azerbaijan partner, which she submitted to the SAP contract booking team on February 4, 2022. SOCAR signed the real Act of Acceptance on May 12, 2022. Evidence indicates that the employee was attempting to claim a commission on the deal before her pending promotion to SAP Azerbaijan Managing Director became effective, after which she would not be eligible to earn additional compensation from the sale.”

Once again, the thing that struck me about all these schemes is there is really nothing new, innovative or particularly novel about any of these bribery schemes. It speaks to the basic blocking and tackling which every compliance program needs to engage in at due diligence and then throughout the life cycle of the third-party relationship.

Join us tomorrow where we consider the comeback made by SAP after the investigation began.

Categories
Blog

The SAP FCPA Enforcement Action-Part 1: Introduction

The year in Foreign Corrupt Practices Act (FCPA) enforcement started off with a bang on January 10 with the announcement of a resolution of the outstanding SAP enforcement action. The bribery schemes used by SAP were massive in scope and literally worldwide in geographic area. As usual, Harry Cassin at the FCPA Blog broke the story for the compliance profession. SAP SE agreed to pay the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) approximately $222 million in penalties and disgorgement. SAP also entered into a three-year deferred prosecution agreement (DPA) with the Department of Justice imposing a $118.8 million criminal penalty and an administrative forfeiture of $103.4 million. Cassin went on to the note that the DOJ “will credit up to $55.1 million of the criminal penalty against amounts that SAP pays to resolve an investigation by law enforcement authorities in South Africa for related conduct, and up to the full forfeiture amount against disgorgement that SAP pays to the SEC or South African authorities.”

The SEC Press Release noted that the illegal actions included bribery schemes in the following countries: South Africa, Malawi, Kenya, Tanzania, Ghana, Indonesia, and Azerbaijan. SAP was held liable by the SEC based up its ownership of American Depositary Shares (ADR) shares which are listed on the New York Stock Exchange and violating the FCPA by employing third-party intermediaries and consultants from at least December 2014 through January 2022 to pay bribes to government officials to obtain business with public sector customers in the seven countries mentioned above. The SEC total fine and penalty was nearly $100 million. This figure represents disgorgement to the SEC of “$85 million plus prejudgment interest of more than $13.4 million, totaling more than $98 million, which will be offset by up to $59 million paid by SAP to the South African government in connection with its parallel investigations into the same conduct.”

What They Said

In a DOJ Press Release, Acting Assistant Attorney General for the Criminal Division, Nicole M. Argentieri said, “SAP paid bribes to officials at state-owned enterprises in South Africa and Indonesia to obtain valuable government business. Today’s resolution—our second coordinated resolution with South African authorities in just over a year—marks an important moment in our ongoing fight against foreign bribery and corruption. We look forward to continuing to strengthen our relationship with South African authorities and others around the world. This case demonstrates not only the critical importance of coordinated international efforts to combat corruption, but also how our corporate enforcement policies incentivize companies to be good corporate citizens, by cooperating with our investigations and appropriately remediating, so that we can take strong action to address misconduct.”

U.S. Attorney Jessica D. Aber for the Eastern District of Virginia also noted, “SAP has accepted responsibility for corrupt practices that hurt honest businesses engaging in global commerce,” said. “We will continue to vigorously prosecute bribery cases to protect domestic companies that follow the law while participating in the international marketplace.”

Postal Inspector in Charge of Criminal Investigations Eric Shen noted,  “When the mails are used in furtherance of a fraud or corruption scheme, borders are not an obstacle for U.S. Postal Inspectors. Postal inspectors, with our FBI law enforcement partners and Justice Department prosecutors, followed the wide-spread trail of bribes and corruption from South Africa to Indonesia. This joint effort resulted in the defendant company paying a significant criminal penalty and agreeing to long-term remedial measures.”

Assistant Director in Charge of the FBI’s Los Angeles Field Office, Donald Always added “This successful resolution against SAP is another example of the power of relationships and persistence. The sustained diligence by the prosecution team and continuous collaboration with South African law enforcement, regulators, and prosecutors identified corrupt activity in multiple countries. The FBI will continue our nonstop efforts to identify, investigate, and prosecute companies willfully engaging in corrupt activities around the world.”

Finally, Charles E. Cain, Chief of the SEC Division of Enforcement’s FCPA Unit, said in the SEC Press Release, “Our order holds SAP accountable for misconduct that spanned seven jurisdictions and persisted for several years and serves as a stark reminder of the need for global companies to be attuned to both the risks of their business and the need to maintain adequate entity-level controls over all their subsidiaries.”

Order and Information

The SEC Order found that SAP violated the FCPA by employing third-party intermediaries and consultants from at least December 2014 through January 2022 to pay bribes to government officials to obtain business with public sector customers in the seven countries mentioned above.” Additionally, “SAP inaccurately recorded the bribes as legitimate business expenses in its books and records, despite the fact that certain of the third-party intermediaries could not show that they provided the services for which they had been contracted.” Finally,  “SAP failed to implement sufficient internal accounting controls over the third parties and lacked sufficient entity-level controls over its wholly owned subsidiaries.”

The DOJ Information found that between approximately 2015 and 2018, “SAP, through certain of its agents, engaged in a scheme to bribe Indonesian officials to obtain improper business advantages for SAP in connection with various contracts between and among SAP and Indonesian departments, agencies, and instrumentalities, including the Kementerian Kelautan dan Perikanan (the Indonesian Ministry of Maritime Affairs and Fisheries) and Balai Penyedia dan Pengelola Pembiayaan Telekomunikasi dan Informatika (an Indonesian state-owned and state-controlled Telecommunications and Information Accessibility Agency).”

Given SAP’s prior SAP enforcement history, its recidivist status FCPA status,  its culture of non-compliance (at the very least), a non-prosecution agreement (NPA) from 2021 with the DOJ’s National Security Division, as well as administrative agreements with the Departments of Commerce and the Treasury relating to export law violations; one might wonder  SAP was able to receive such a superior result. Over the next several blog posts, we will be exploring that issue as well a host of others for the compliance professional. I hope you will join me over the next few blog posts.

Categories
31 Days to More Effective Compliance Programs

Day 31 to a More Effective Compliance Program: Day 13 – Policies and Procedures

There are numerous reasons to put some serious work into your compliance policies and procedures. They are certainly the first line of defense when the government comes knocking. The 2023 ECCP made clear that “Any well-designed compliance program entails policies and procedures that give both content and effect to ethical norms and that address and aim to reduce risks identified by the company as part of its risk assessment process.” This statement made clear that the regulators will take a strong view against a company that does not have well-thought-out and articulated policies and procedures against bribery and corruption, all of which are systematically reviewed and updated. Moreover, having policies written out and signed by employees provides what some consider the most vital layer of communication and acts as an internal control. Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the “Document, Document, and Document” mantra applies just as strongly to policies and procedures in anti-corruption compliance.

Three key takeaways:

1. Written compliance policies and procedures, together with the Code of Conduct, form the backbone of your compliance program.

2. The DOJ and SEC expect a well-thought-out and articulated set of compliance policies and procedures and that they be adequately communicated throughout your organization.

3. Institutional fairness for the application of policies and procedures demands consistent application of your policies and procedures across the globe.

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Welcome to 2024 Edition

What happens when two top compliance commentators get together? They talk about compliance, of course. Join Tom Fox and Kristy Grant-Hart in 2 Gurus Talk Compliance as they discuss the latest compliance issues in this week’s episode! In this episode, Tom and Kristy take on a wide variety of topics, including the self-improvement of the Florida Man gone astray.

In the ever-evolving world of regulatory compliance and risk management, challenges are constant, and strategies must be dynamic. Tom highlights the SFO, culture assessments, Key Board issues for 2024 and the McDonald’s Doctrine. Kristy highlights the new law, FEPA, Supply Chains, AI, and checks in on Florida Man. Join Tom Fox and Kristy Grant-Hart as they delve deeper into these issues in this episode of the 2 Gurus Talk Compliance podcast.

Highlights Include:

  1. U.S. Prosecutors Can Charge Foreign Officials With Bribery Under New Provision (WSJ)
  2. New Actions from the White House Highlight the Difficulty of Tracing Forced Labor in Supply Chains (Supply Chain Brain Blog)
  3. Maryland looks to harness AI for government use with executive order (Washington Post)
  4. WorkLife’s definitive guide to what’s in and out for 2024 (WorkLife)
  5. Analysis of failure to exercise duty of oversight by a corporate officer. (D&O Diary)
  6. Key Board issues for 2024. (Compliance and Enforcement)
  7. Are emojis evil? (FCPA Blog)
  8. SFO hammered in the ENRC report. (WSJ)
  9. Why do you need to do a culture assessment? (CCI)
  10. Florida woman sues Hershey for $5 million over ‘deceptive’ Reese’s packaging (ABC News)

 Resources:

Kristy Grant-Hart on LinkedIn

Spark Consulting

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 12 – Your Code of Conduct

What is the value of having a Code of Conduct? In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to wave in a regulator’s face during an enforcement action as proof of ethical overall behavior. Is such a legalistic code effective? Is a Code of Conduct more than simply your company’s internal law? What should be the goal of the creation of your company’s Code of Conduct?

How important is the Code of Conduct? Consider the 2016 SEC enforcement action involving United Airlines, Inc., which turned on a violation of the company’s Code of Conduct. The breach of the Code of Conduct was determined to be an FCPA internal control violation. It involved a clear quid pro quo benefit paid out by United to David Samson, the former Chairman of the Board of Directors of the Port Authority of New York and New Jersey, the public government entity that has authority over, among other things, United’s operations at the company’s huge east coast hub in Newark, NJ.

Three key takeaways:

1. A Code of Conduct is a foundational document in any compliance regime.

2. The substance of your Code of Conduct should be tailored to the company’s culture, to its industry, and to its corporate identity.

3. “Document, Document, and Document” your training and communication efforts regarding your Code of Conduct.

Categories
Daily Compliance News

Daily Compliance News: January 11, 2024 – The SAP Again Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • FINRA says AI is emerging.  (WSJ)
  • SAP has yet another FCPA enforcement action.  (FCPA Blog)
  • Microsoft OpenAI investment faces EU scrutiny. (Reuters)
  • The SEC approves a new type of Bitcoin fund.  (NYT)
Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 10 – Leadership’s Conduct at The Top

The 2022 Monaco Memo emphasized the basic point that the key to every company is culture. The bottom line is that corporate culture matters, and corporate culture that fails to hold individuals accountable or fails to invest in compliance—or worse, that thumbs its nose at compliance—leads to bad results.

To assist companies in understanding this requirement, the 2023 ECCP sets out inquiries demonstrating that DOJ requirements are more than simply the ubiquitous “tone-at-the-top,” as they focus on the conduct of senior management. The DOJ wants to see a company’s senior leadership actually doing compliance. The DOJ asks if company leadership has, through their words and concrete actions, brought the right message of doing business ethically and in compliance to the organization. How does senior management model its behavior based on a company’s values and finally, how is such conduct monitored in an organization?

Three key takeaways:

1. Senior management must actually do compliance—not simply talk the talk of compliance but also walk the walk.

2. The DOJ is now actively assessing corporate culture during investigations.

3. Your CEO is a Compliance Ambassador.

 

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 9 – Continuous Monitoring and Continuous Improvement

Continuous monitoring and continuous improvement are two of the most important phrases for any compliance program. These twin concepts were further enshrined in the 2023 Update to the Evaluation of Corporate Compliance Programs (2023 ECCP). In 2023, all companies’ risks changed as we moved from Working From Home to Return To Office and, now, a hybrid model. In addition to this straight-forward change in risk due to working locations, new risks in the form of geopolitical, supply chain, and export control, as well as increased risk due to social media, continue to impact compliance programs.  Your compliance program must be ready to respond to whatever those risks might be going forward.

Continuous improvement runs the gamut in a best practices compliance program, from risk assessments to policies and procedures to periodic testing and review.

Three key takeaways:

1. How have your company’s risks changed over the past year, and how will they change in 2024?

2. What is your process for continuous monitoring and improvement?

3. What sources of information do you use that come from outside your organization?

Categories
Blog

Compliance Program Use of Data Analytics

Matt Galvin, Counsel, Compliance & Data Analytics at the DOJ and one of the experts leading the DOJ’s data analytics initiative, highlighted in another talk, the proactive use of data to generate cases related to the FCPA and emphasized that this is just the beginning. The DOJ expects companies to adopt a similar data-driven approach to compliance. In her speech, Argentieri speech where she stated, “just as we are upping our game when it comes to data analytics, we expect companies to do the same.” This expectation extends beyond simply tracking trainings, policies, and investigations. The DOJ’s focus is on monitoring third parties throughout the lifespan of the relationship, not just during the onboarding process.

This means that  while due diligence and background checks are essential, the real risk of fraud occurs during the actual business transactions with third parties. Companies need to go beyond initial checks and continuously monitor high-risk vendors, contract terms, and other relevant data sources. By mapping risks to data sources and implementing effective tests, companies can identify and prioritize risky transactions. The increasing accessibility and cost-effectiveness of data analytics have made it a viable option for companies of all sizes. It can help companies demonstrate effective compliance programs, uncover hidden financial irregularities, and improve overall efficiency. The importance of continuous data analysis in compliance programs was highlighted by the Bank of America CFPB enforcement action.

However, implementing a data-driven compliance program comes with its own set of challenges. There is still confusion among the compliance community regarding what data analytics entails and how it should be applied. Data-analytics should be seen as a process-oriented approach rather than treating it as a one-time project. Data analytics should be integrated into the compliance program as a continuous business process, similar to third-party due diligence.

The Bank of America CFPB enforcement action case serves as a reminder of the importance of the use of data analytics in corporate compliance. Bank of America had the necessary data and tools to build an analytics program, but they failed to effectively utilize it, leading to compliance issues. This case highlights the need for companies to not only have data analytics capabilities but also to ensure they are properly implemented and maintained.

While data analytics can be a powerful tool for corporate compliance, there are challenges associated with its use. Companies must navigate the tradeoffs involved in balancing different factors, such as the level of sophistication required, resource allocation, and the potential risks of self-disclosure. Additionally, companies must consider the potential criticism they may face if they fail to effectively utilize their analytics tools in the event of a major compliance violation.

The Argentieri speech highlighted the DOJ’s (and SEC’s) increasing focus on data analytics for corporate compliance highlights the importance of this tool in identifying and addressing corporate misconduct. Companies, especially larger ones, are expected to enhance their data analytics capabilities and may face increased pressure for voluntary self-disclosure. However, companies must also navigate the challenges and tradeoffs associated with data analytics to ensure effective compliance and mitigate risks.

The DOJ’s increasing use of data analytics for proactive enforcement has far-reaching implications. Companies must recognize the importance of adopting a data-driven approach to compliance and invest in the necessary resources and technology. By doing so, they can not only meet the DOJ’s expectations but also improve the effectiveness of their compliance programs and mitigate the risk of fraud.

The DOJ’s increasing use of data analytics for proactive enforcement signifies a significant shift in their approach to combating white-collar crime. Companies must embrace this data-driven approach to compliance, continuously monitor high-risk transactions, and invest in the necessary resources and technology. By doing so, they can demonstrate effective compliance programs, uncover hidden financial irregularities, and improve overall efficiency.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 8 – Operationalizing Compliance Through Payroll

One of the areas articulated in the 2023 ECCP was around payments and payroll. For both the compliance professional and the corporate payroll function, there is a significant role to play in the operationalization of a corporate compliance program. The 2023 ECCP was replete with references to payment and its critical nature to any best practices compliance program. This includes references to payments to foreign officials, payments to third parties, and hiding bribes in payments to distributors. The 2023 ECCP begins with an admonition to stop wasting time on low-hanging fruit when there are much higher risks in your business operations.

The role of payroll in compliance is not often considered in operationalizing your compliance program, yet the monies to fund bribes must come from somewhere. Unfortunately, one of those places is out of payroll. All CCOs need to sit down with their head of payroll, have them explain the role of payroll, and then review the internal controls in place to see how they facilitate compliance goals. From that review, you can then determine how to use payroll to help operationalize your compliance program.

The DOJ has now provided its clearest statement on how it expects a company to actually comply going forward. Long gone are the days where the DOJ simply considered the inputs of a written program as sufficient to protect companies from compliance violations. Yet the mandate to operationalize a corporate compliance program drives home the concept that compliance is a business process that should be administered by the appropriate business unit with the requisite SME. When it comes to following the money, payroll is the most well-suited corporate discipline to provide this first level of oversight and control.

Three key takeaways:

  1. Payroll can be a key to preventing and detecting control
  2. The 2020 Update specified the tie between the corporate compliance function and the corporate payroll function.
  3. Offshore payments remain a key indicator of a red flag.