Balance SheetOne of the most interesting tag lines I heard at Compliance Week 2016 was the following, if you want to work in my compliance department; you need to learn how to read a balance sheet. I thought that single line encapsulated the change in the compliance function over the past few years more than any other. Why, because it speaks to the change of compliance from being centered in the legal department, run by lawyers as a rules based program, to fully understanding that compliance is a business process that needs to centered in its own discipline. For if you cannot read a balance sheet you cannot bring a positive value to a business unit.

Several different speakers emphasized this point during the conference, each coming at it from different angles. From the regulatory angle, Andrew Weissmann, Chief of the Department of Justice (DOJ) Criminal Division’s Fraud Section, spoke in terms of the operationalization of compliance as a key metric the DOJ will use to evaluate a compliance program under its new Pilot Program. Weissmann said the DOJ wants to know if the if business unit of a company is responsible for at least a part of compliance. Weissmann had an interesting angle on the real problem for a Chief Compliance Officer (CCO) stating that if compliance is not embedded into the business, that problem is that the CCO simply becomes a policeman, telling the business unit what it cannot do. Or as I would say, being Dr. No from the Land of No.

Speaking on the same panel, Stephen L. Cohen, Associate Director of Enforcement, Securities and Exchange Commission (SEC) came at it from the angle of CCO involvement in the overall strategy and budgeting process of an organization. Cohen had several questions he would ask to determine the level of CCO independence within an organization. First and foremost, is the CCO a part of the senior management or the C-Suite? Is the CCO part of regular meetings of this group? He also would want to specifically know if the CCO was a part of overall strategy and company budgetary meetings?

In addition to the foregoing, Cohen had some additional questions he would consider. The first was who could over-rule the decision by a CCO within an organization? He would also inquire into who is making the decisions around salary and compensation for the CCO? Is it the CEO, the GC, the Audit Committee of the Board or some other person or group?

These views are an extension of what the DOJ Compliance Counsel Hui Chen spoke about when she began publicly speaking in her new role, particularly last fall at the New York University Program on Corporate Compliance and Enforcement public forum. At the forum, Chen stated there should be some significant thought put into a company’s compliance program. She expounded that stakeholders need to be a part of your compliance program design process and have input into the compliance internal controls.

Chen also made clear that your compliance program should be tied to the functional unit of a company. This means that Human Resources (HR), Payment, Audit, Vendor Management, IT, Supply Chain and all traditional indirect cost functions need to be involved in the operation of your compliance program in their respective areas of influence. Tied with the operationalization is the evidence that you, as the CCO or compliance practitioner, got out of your office and met with the stakeholders of your compliance program. This is more than simply in your compliance program design, it includes the compliance program implementation. She suggested evidence to show more than compliance simply had a seat at the table but that compliance was actively involved with operational decision-making.

Chen also noted compliance needs to be a part of the discussions around how compensation systems are designed and particularly around discretionary bonus systems. She admitted that compliance’s views on compensation are not always sought but in her mind it is one area that, if utilized, would demonstrate a commitment to compliance by the organization.

Operationalizing compliance requires providing resources to the compliance function. This mean more than monetary resources or even head count. In her remarks, Chen specified the twin resources of attention and commitment. This means how often do you meet personally with your Chief Executive Officer (CEO), Audit Committee of the Board and the full Board of Directors? Chen said that she would inquire into the details of these briefings, so, for instance, are the briefings based on employee surveys, quantitative data or is it simply anecdotal information? She said that it is important that compliance have a real dialogue with the C-Suite and not a rote briefing.

Interestingly another conference session featured three compliance professionals who have had the experience of making presentations to the DOJ where the new Compliance Counsel was present. All three spoke about Chen testing whether the compliance program was “real”, meaning had they been able to operationalize it into the organization. This step of operationalizing your compliance program entails moving far beyond being Dr. No from the Land of No. You have to move your compliance initiatives down into the business functions that oversee each step of the process. This means working with HR, IT, Internal Audit, Finance, Sales, Marketing, Business Development, Supply Chain and all the other corporate functions.

If you want to get into a compliance function, you are going to have to know more than simply the Foreign Corrupt Practices Act (FCPA), other laws, rules and regulations. You have to be seen as a part of the business that actually gets things done. Looking and playing lawyer is not going to get it done because the role of in-house counsel is to protect the company, sometimes from outside forces and sometimes from inside the organization. Operationalizing compliance means embedding the processes of compliance into each unit within the organization. Can anyone consider HR not being a compliance risk after the BNY Mellon and Qualcomm FCPA enforcement actions? Putting anti-corruption compliance processes into HR is mandatory now but if you do not understand how HR works, you will not be able to advise them how to do so.

This is the same with every other functional organization in a company. If you cannot read a balance sheet, you cannot perform the most basic function in a business. So if you want to get into the compliance profession… learn how to read a balance sheet.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

 

7K0A0223This week I have been exploring the Public Accounting Oversight Board (PCAOB) with Joe Howell, an Executive Vice President (EVP) with Workiva Inc. We have considered how some of the issues addressed by the PCAOB directly impact the Foreign Corrupt Practices Act (FCPA) compliance practitioner in ways that might not seem immediately self-evident. Today I will conclude my series with Howell by considering some of the costs for the failure of internal controls and how auditors, governed by the PCAOB, can help foster and facilitate a best practices compliance program.

There is no materiality standard under the FCPA. This is generally a different standard than internal auditors or accountants consider in a company. However Howell believes their approach is wrong based upon simply more than just a plain reading of the statute itself. This is because Howell feels it is not simply the materiality of the bribe, it may not even be the materiality of the contract that you receive because of the bribe. Howell’s view is that it is much broader as the materiality would be the entire cost that potentially the company could be liable for: pre-resolution investigation, an enforcement penalty and fine, and then post-settlement remediation or other costs.

Howell began by noting that a company must report contingent liabilities in its financial statements, if only in notes. Even if a company cannot estimate these costs, they must be described. A financial statement would be incomplete and actually wrong if they fail to describe a liability when you know that you have one. This means “If a company discovers that a bribe was paid and a fraud was perpetrated and that money was used to pay a bribe, they now know that they have some sort of liability, a cost that they’re going to have to recognize at some point, but they don’t know how much it is yet.”

Howell acknowledges there can be many reasons why a corporation would not want to put such a disclosure on the face of its financial statements; nevertheless, they do need to describe it in the financial statements in order to actually give the reader of the financial information the full picture that they are required to provide.

Any FCPA investigation is going to have a profound cost. If a company desires to take advantage of the new Department of Justice (DOJ) Pilot Program and self-disclose to the DOJ and Securities and Exchange Commission (SEC), it still may result in a risk of a fine, disgorgement of profits and other penalties. Howell added, “then monitoring at the backend and penalties and reputational risk. All of which go together to be material to the company. Even though the bribe was a little bribe, even though the fuse was a small fuse, the bomb is a big bomb. When you see a fuse, notice that it’s been lit, you have an obligation to report that. That’s material. It’s relevant to the reader of the financial statements. Because the fuse is small, you can’t say, I don’t have to report it.”

In an interesting insight for the Chief Compliance Officer (CCO) or compliance practitioner to consider, Howell said that even if you remediate but make the decision not to self-disclose that alone may be evidence that your books and records are not accurate. Take a minute to consider that from the SEC perspective. If your SOX 404 disclosure does not reflect any reportable FCPA incidents because you have remediated and made the decision not to self-disclose, that alone can be a violation of the FCPA.

While Howell believes that such contingencies will resolve themselves over time, he believes it is important to make that immediately available to readers of the financial statements. He went on to state that there are large numbers of diverse constituencies who depend on your accurate financial statements. These include, “your bankers, creditors, as well as your shareholders. You may have relationships that are contractual relationships with suppliers, customers that could be affected by this. You may have contracts with your employees that are affected by this. There may be contracts with other third parties that could be affected or impaired because of your violation of the FCPA, in one instance.”

I was intrigued by Howell’s inclusion of bankers and creditors relying on the accuracy of your financial statements. This is because it is not uncommon now that a loan document or a secondary financing would require a company to maintain an effective anti-bribery, corruption compliance program. I asked Howell if this is something an external auditor would evaluate and, if so, how would they go about evaluating such a loan covenant?

Howell said this could well be important because if such a loan clause were violated, that would be part of the corporate disclosure. Howell went on to note that if an auditor were to become aware that a fraud was “committed and that fraud resulted in resources being used to pay a bribe, the auditor then needs to take a hard look at all the disclosures about the contingencies. If they’re uncomfortable with that, they need to report themselves about what they think that the client may have missed. When fraud is discovered, they cannot keep silent. They have to report it.”

I concluded by asking Howell about the SEC Audit Standard No. 5: what it is and how it ties into the FCPA and the line through SOX all the way to Dodd-Frank. Howell said the precursor to Audit Standard No. 5 was Audit Standard No. 2 which specified what Howell called a bunch of ““thou shalt do” stuff that became very mechanical and it drove people’s costs up and it made people uncomfortable.”

This led to the adoption of Audit Standard No. 5 and a change to a more risk based focus using a principles-based audit standard. The SEC wanted to direct “auditors to those areas that present the highest risk, such as financial statement, closed processes, and controls designed to prevent fraud by management. It emphasizes that the auditor is not required to scope the audit to find deficiencies that don’t constitute material weaknesses.”

Howell believes that bribery and corruption are subsets of fraud and auditors are “required to always disclose fraud, even if it’s immaterial. If they find fraud, and even if the fraud is immaterial, it still means that it could be a failure in the controlled environment that means that they can no longer really rely on those controls. They have to do something else. What they would do is substantive testing, which that means then they would go back and start to look at everything. That’s prohibitively expensive. It takes an enormous amount of time and it results in audits that are not sustainable.”

This means one can then draw even a line to Audit Standard No. 5 and the risks that companies have doing business outside of the US under the FCPA as a risk that needs to be audited. Howell said this means you have to incorporate such an analysis into your FCPA compliance program because if you are doing business in high-risk countries which have a reputation for bribery as a way of doing business and you have operations there that rely on third parties that are securing contracts for you, you have an obligation to build a controlled environment which both prevents, to the best of your ability, mistakes from happening, bribes, and then if one were to happen, to be on the lookout for where that would most certainly and most likely show up.

Howell said this could be a variety of responses, including “transaction monitoring, surprise counts, sending in auditors to actually be part of that control environment to look for all the documentation. It is important to also have that sense of remediation. If you find it, what do you do with it? To whom do you report? What processes are in place? Are they working?”

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

IMG_1259Today, I continue my exploration with Joe Howell about the Public Accounting Oversight Board (PCAOB), its scrutiny of public company auditors and how its work impacts the corporate compliance function. Yesterday, I ended with a discussion about goodwill, how hard it may be to calculate, its impairment and what that might mean for a Chief Compliance Officer (CCO) and how difficult it is to test for both goodwill and a proper impairment calculation. Today I want to continue to explore why any write-downs are significant for the compliance function as it might be a mechanism to hide money to fund bribes and engage in corruption.

I asked Howell about write-downs and how they might be used to hide monies generated to fund a bribe, in the context of an acquisition. Howell noted, “anytime you have to calculate what that original value is, if you have a spin-off, if you have some sort of massive write-down, then they’re going to want to take a look at that to see, How did you do that write-down? Did you do it to dress up your balance sheet, to make it a little prettier because you got rid of some intangibles because you didn’t want to have them anymore for other purposes? Or there was some sort of thing that was out of the ordinary that you did? Then they really want to look at that to make sure that there’s support for it.”

I then inquired about joint ventures (JVs) and asked if the same or similar rules would apply. Howell began by noting that an audit is focused on the external financial statements for the company taken as a whole as presented to financial statements. While that statement is in the context of what the final opinion focuses upon, it is important to recall that an audit builds up from its parts.

That means an auditor must build up from any JVs a company has and these areas that have the opportunity to create misstatements, mistakes, or completely fraudulent statements. The issues can go so far as to include Enron type of concerns where the company used fraudulent accounting to get “bad stuff” off of their balance sheet. I asked Howell if you have a JV that has engaged in transactions that were based on fraud and the profits from that JV roll up into the parents, i.e. the US Corporation’s balance sheet, that would be an appropriate inquiry for an external auditor? He said “Absolutely. If an auditor finds fraud that’s not material to the financial statements taken as a whole, their job is not over. They don’t pass on stuff because it’s immaterial. If they find fraud, they’re obligated to report it. Also, that they find fraud, then they’re obligated to explore to see if the weaknesses and the controls that permitted that fraud are found elsewhere.”

One of the key inquiries from a Securities and Exchange Commission (SEC) Foreign Corrupt Practices Act (FCPA) investigation or enforcement action is around the issue of systemic failures of internal controls. Such failure is a sure remedy for the finding by the SEC for violation of the FCPA, even absent an affirmative finding of bribery. Howell said that a systemic inquiry from the auditing perspective is critical as well.

Howell said that if management is somehow involved in the colluding, then the auditors must “step back and take a hard look at what they’re going to be able to believe, if anything, that management has told them. If management is not involved and they have reason to believe that this is a bad actor somewhere in the organization, they’re not permitted to stop because it’s not material. They have to “move forward” with the inquiry.”

Interestingly, Howell not only draws a line from the FCPA to the Sarbanes-Oxley Act of 2002 (SOX) to the Dodd-Frank Act of 2010; but also draws a line from the PCAOB to corruption risk because of the pronouncements from the PCAOB about what the auditors have to look for in terms of risk. This is because he believes “every PCAOB inspection report to date has mentioned fraud. That the purpose of mentioning fraud is that the failures in the accounting control environment that permitted a transaction to go unreported or misreported are the kinds of things that undermine the entire credibility of the financial statements and mean that you’re not going to be able to rely on that control environment. Fraud is central to all of this.”

Howell went on to explain that fraud usually occurs because there are weaknesses in controls which are exploited by bad actors to get the money or the resources, if not money, to actually then pay a bribe that is the focus of the FCPA. The PCAOB’s focus on fraud is because the controls need to be in place and they focus on internal controls over financial reporting. Howell noted he has not seen any FCPA settlement that did not have a material impact on the company in one way or another. He concluded by stating, “how can you say that you’’re not dealing with material misstatements of the financial statements if you fail to report something that clearly is going to result in tens or hundreds of millions of dollars of penalties, disgorgement of profits, investigations, and tearing the company inside out in order to do the final remediation?”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016