I continue my exploration of recent enforcement matters and issues by turning to the Johnson Controls, Inc. (JCI) Foreign Corrupt Practices Act (FCPA) enforcement action, which was announced last week. Mike Volkov has called the enforcement action a “head scratcher”. Whether you agree with Volkov’s analysis or not, the case has several significant points for the Chief Compliance Officer (CCO) or compliance practitioner, which I will review today.
The matter was settled via a Cease and Desist Order (Order) from the Securities and Exchange Commission (SEC) and a Declination issued by the Department of Justice (DOJ). For its penalty, JCI accepted over $11.8 million in profits as a result of approximately $4.9 million in improper payments made by China Marine. JCI agreed to disgorge these profits, pay pre-judgment interest of $1,382,561 and a civil penalty of $1,180,000 for a total amount of $14,362,561.
The underlying facts are about as sordid as they can be for a corporate enforcement action. JCI obtained the Chinese unit, China Marine, through its purchase of York International (York) in 2005. In 2007, York paid $22 million to the DOJ and SEC to resolve FCPA offenses in China and other countries that occurred between 2001 and 2006. York agreed to a three-year independent compliance monitor. JCI, for its part, terminated those involved in China Marine’s illegal conduct after it acquired York.
JCI installed its own Managing Director and limited China Marine’s use of third party sales agents. However, as stated in the Order, “From 2007 to 2013, the managing director of China Marine, with the aid of approximately eighteen China Marine employees in three China Marine offices, continued the bribery and theft that began under his predecessor by using vendors instead of agents to facilitate the improper payments. The improper payments were made to employees of government-owned shipyards as well as ship-owners and unknown persons”.
The bribery scheme was quite sophisticated. It involved, “a multi-stepped arrangement that required the complicity of nearly the entire China Marine office from the managing director, to the sales managers, the procurement managers and finally to the finance manager. The managing director aided or at times approved requests for the addition of certain vendors to the vendor master file without disclosing that certain sales managers had ownership or beneficial interest in the vendors. After the managing director’s approval, sales managers added bogus costs for parts and services to sales reports, which inflated the overall cost of the project, and generated purchase orders for the bogus parts and services. The procurement manager knowingly approved the purchase orders.” The scheme even included the vendors themselves who “created fake order confirmations for the unnecessary parts and services and submitted invoices for payments.” To complete the circle, the China Marine finance manager would authorize the fraudulent payments.
In what can only be called a complete, total and utter failure of JCI’s internal controls, company auditors could not understand the China Marine transactions. Further, and with even more evidence of the lack of effective internal controls, many of China Marine’s transactions were deemed non-material so they were at a level below that which would trigger a review of corporate oversight from JCI’s Denmark office, which oversaw the China Marine business unit. The Order noted that the average vendor payment in the bribery scheme “was approximately $3,400” but the total amount of bribes paid was $4.9MM. One might reasonably wonder if JCI understood there was no materiality threshold under the FCPA. One might also ask if there was conscious indifference by the JCI corporate office.
For the CCO or compliance practitioner there are several important lessons to be garnered from this enforcement action. First is the absolute requirement for effective internal controls to be put in place. If your company does not understand the transactions that any subsidiary engages in, you have put your company at serious risk. For if a company’s internal auditors cannot understand a series of transactions, they you certainly cannot explain them to an auditor. Further, under Sarbanes-Oxley (SOX) §404, a company must not only acknowledge its responsibility for establishing and maintaining a system of internal controls and procedures for financial reporting and an assessment, but also report on the effectiveness of the company’s internal controls.
Karen Cascini and Alan DelFavero, in an article entitled “An Assessment of the Impact of the Sarbanes-Oxley Act on the Investigation Violations of the Foreign Corrupt Practices Act”, said, “Section 404 “requires management to annually disclose its assessment of the firm’s internal control structure and procedures for financial reporting and include the corresponding opinions by the firm’s auditor”. More particularly, “while the FCPA required public companies to institute effective internal controls to stop the bribes and make executives accountable, SOX 404 goes further, but has similar goals.”
All of this might reasonably lead one to ask, who at the corporate headquarters certified the effectiveness of both the JCI and China Marine’s internal controls? Moreover, the Accounting Provisions of the FCPA also includes a section requiring accurate books and records. Clearly JCI was not too interested in verifying the accuracy of the books and records of its China Marine subsidiary.
More than this lack of compliance with both prongs of the FCPA Accounting Provisions, the lack of seeming awareness of enhanced risks is a confounding aspect of this case. China Marine was clearly identified as a high-risk business unit of both York and later JCI. Simply putting your self-appointed Managing Director in place is not enough. Any competent risk management system requires oversight, or as my wife would say ‘a second set of eyes’. This is why an effective compliance program requires ongoing monitoring. It is even truer when an entire business unit is high-risk.
Tomorrow I will continue my exploration of the JCI enforcement action by looking at the DOJ’s Declination, in conjunction with the Pilot Program.
What are the lessons to be learned from the Johnson Controls FCPA enforcement action?Click to tweet
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2016