Candice Tal, founder and Chief Executive Officer (CEO) of Infortal Worldwide, the sponsor of this podcast series, continue to visit to consider various aspects of international due diligence investigations. In many ways this can be viewed as finding a needle in the corporate haystack of information and data. Tal will help us through that maelstrom to find useful and actionable information for your compliance program. In Part IV, we consider compliance related due diligence in mergers and acquisitions (M&A) and how it can protect companies from both financial loss and reputational damage.


The disastrous Hewlett-Packard (HP) merger with the UK Company Autonomy Corporation PLC was back in the news recently when the former Autonomy CEO was indicted by a US grand jury for making false representations in the sale of his company to HP back in 2010 for $11.1 billion. Some 18 months later, HP threw in the towel and wrote off $8.8 billion from the failed merger of the two companies. HP has claimed that Autonomy, with the knowledge and participation of its senior management, actively misrepresented its financial statements. Former Autonomy executives claim that there was no misrepresentation, only the differences in US and UK accounting standards and that HP could have performed full due diligence on Autonomy but either did so negligently or failed to do so. 

Tal noted that compliance due diligence in M&A is different than looking at numbers; it is a much deeper dive. Compliance due diligence investigations are an overriding term for a number of different aspects or applications of due diligence. There could be agent and distributor due diligence, vendor due diligence together with looking at the company and its operations, its financial information, its executives, its Board of Directors and senior management. She cautioned that in the past, many companies really do not look at the executives of a target, which can lead to multiple problems later on, in terms of the Foreign Corrupt Practices Act (FCPA) violations and also shareholder losses, market losses and volatility at all levels.

She said that rarely do the purchasers look closely at the target’s Board of Directors but that it can be an important inquiry from the compliance perspective. For instance, if the Board has any issues that the acquirer should be aware of which would impact or even dictate tone at the top; this could be critical information. It might not even be untoward information which could be uncovered in the deep dive due diligence on the Board. It could uncover potential conflicts of interest which are currently in place or could occur should the merger occur. Finally, such a due diligence on the target’s Board could give the acquirer information on both the target’s culture and what needs to be in the remediation plan after closing. 

Certainly a deep dive due diligence should be performed on the target’s CEO and senior management to see if there is anything in their past which could turn around and bite the acquirer after closing and integration. As Tal has previously noted, from her 30+ years of experience in performing deep dive investigations on senior executives, approximately 20% have significant issues in their background that were not known. Obviously this can present serious problems to an acquirer if the risks manifest after the closing. 

Tal turned to another topic she has developed through her years of work in this field, which she called “the investigative hunch.” She said, “you expect to find certain pieces of information and you don’t find it anywhere. The question is: what does that mean? Does it mean anything or is it something that’s being covered up and potentially serious?” This example shines a light that there are many different aspects to investigative due diligence, particularly in M&A. Transactional due diligence is one part of compliance due diligence in the M&A context but it is only one part. Through a more robust, deeper dive due diligence you can begin to uncover both hidden and undisclosed information that can be found through both deep media and historical Internet searches. She concluded with “it’s a much, much greater type of investigative analysis than simply Level I due diligence.”

Tomorrow we will conclude our five-part series by reviewing deep dive due diligence in light of the increase in global anti-corruption investigations and enforcements. 

Established in 1985, Infortal Worldwide has conducted over 2 million investigations globally. Infortal specializes in investigations for FCPA vendor risk management, M&A transactions, Board Due Diligence, and screening executives internationally, in addition to routine background checks. For more information, check out their website at  

Greg Lake is best remembered as the guitarist for the prog rock trio, Emerson, Lake and Palmer. Appropriate to this holiday season, while still a member of ELP, Lake achieved solo chart success with his single, I Believe in Father Christmas, which was released in 1975 and is a great rock and roll addition to the musical Yuletide oeuvre. Much like A Charlie Brown Christmas,the song criticizes the commercialization of this holiday. Lake also affirms his vow that “I believe in Father Christmas” and that he had not lost that childhood wonder and awe around Christmas and faith in the English version of Santa Claus.

In honor of Lake, Father Christmasand the holiday season, I thought a review of internal controls around gifts was in order. Many companies effectively minimize the risk of inappropriate gifts through stringent pre-approval requirements because a sufficiently robust and enforced pre-approval policy can reduce the number of gifts simply because of the headache of getting the pre-approval. This has the added benefit of ensuring enforcement of internal controls, largely because of the reduced volume of gifts being included in expense reports. In considering the effectiveness of controls, you must always keep in mind the most frequently used method for defeating an internal control, which is driven by a dollar amount criteria, is splitting the item into multiple parts in order to appear to stay under the limit and to avoid the defined approval authority based on the amount of the gift.

A key analysis is whether there are controls in place to enforce the policies and whether those controls are documented. To help to answer this query, there are four issues to evaluate:

  • Is the correct level of person approving the payment / reimbursement for the gift?
  • Are there specific controls, including signoffs, to demonstrate that the gift had a proper business purpose?
  • Are the controls regarding gifts sufficiently preventative, rather than relying on detect controls?
  • If controls are not followed, is that failure detected by other internal controls or the compliance protocols?

While many compliance practitioners believe that employee expense reports are a sufficient internal control regarding gifts, because there are other ways in which a gift can be presented, there need to be other controls. Once your company policy on gifts has been finalized, the internal controls over expense reports fall into three basic areas: (1) The expense report format, including what information it requires; (2) Controls over the submitting employee and the preparation of the expense report; and (3) Controls to ensure the approvers do their review process properly.

The format of an expense report can go a long way towards prevention of violations of company policy. First it is important to have preprinted representations and certifications within the form because these can lead to “stop and think” type of controls, meaning the person submitting the expense report has to at least consider the information being submitted. The form can be signed without reading the preprinted representations, but if the employee and reviewers have been trained on how to review the expense report, it can be difficult to say later that the submitting employee did not understand what they were signing.

You should also consider two forms of representation, the Preparer’s representations and the Approver’s representations. The Preparer’s representations include ensuring that all items representing a proper business purpose comply with the company’s code of conduct, comply with local law and custom, and comply with all applicable company policies regarding Foreign Corrupt Practices Act (FCPA) compliance. The Approver’s representations ensure that all supporting documentation has been examined and that all documentation complies with applicable company policies, including the submission of original receipts.  Further, the Approver should certify that they have complied with all company policies regarding the review and approval of the expense report.

Many companies have two basic forms of expense reports. One is for situations in which all items pertain to US locations and do not involve any expenses incurred outside the US or for benefit of persons outside the US. The second is for items involving locations or persons outside the US. The international reporting form might have more stringent requirements and should provide for more detailed disclosures. It could require reporting, in a separate section of the expense report, all items that involve government officials, so that these items are not “buried” elsewhere in the expense report. As an added measure, the expense report should include a column which requires the submitter to check “Government Official Y/N?” this type of format should require sufficient disclosure of information regarding each item involving government officials.

The next step in such an enhanced protocol would require a senior officer from the business unit to approve any reimbursements that meet certain criteria, for example, certain geographical areas or countries. Finally, such an enhanced representation could also include separate sections for each item requiring a description of the business purpose of meals, entertainment, names and business affiliation of all attendees, description of gifts and their business purpose, etc. A typical expense report requires this information to be on the receipt.

Moving beyond simply requiring receipts and requiring such detail to be incorporated directly onto the expense reimbursement forms highlights the presence or absence of proper documentation much more readily. It is also incumbent to ensure reviewers sign off that each item has documentation that required pre-approvals were obtained, if necessary.

In this holiday season, you need to be more vigilant in your compliance around gift giving. The Key Energy FCPA enforcement action reminded everyone that gifts given around the holiday season can form a part of a FCPA violation. By having robust internal controls around gift giving, you can help to prevent such violations.

To help put yourself in the proper mood for the holiday season, check this YouTube clip of Greg Lake singing I Believe in Father Christmas.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2018

In this new podcast series, recovering screenwriter (and Mr. Monitor) Jay Rosen and I will indulge in passion for the movies by looking at them through the lens of compliance. Jay is a contemporary movie fan and I am more of a classic movie maven so we present a well-rounded view of the movie fandom. To jump start the series, Jay and I revisited the intersection of Star Wars and compliance in five episodes this week. Today for our first full episode, we look at the recently released music bio-pic Bohemian Rhapsody. So if you want to indulge in your love for the movies with two guys who are passionate about Hollywood and get some ideas for your compliance program, this is the podcast series for you.

Some of the highlights include:

  • How the movie came together after years in development and how it could have been a much different picture.
  • The stars were spot on in their portrayals of the band members (living and dead).
  • How do you wrap a story of redemption around a character you know will die of a terminal illness?
  • Tom indulges in his love of tracking shots.
  • Jay explains how the story structure worked in this movie.

The Compliance takeaways:

  1. A compliance program must continually innovate.
  2. You must bake continuous improvement into your compliance program.
  3. Every compliance professional should be ready for the opportunity; whether it be to move up in your profession or sell a new compliance initiative.
  4. The creative process in music can inform your innovation in compliance—engage your audience.
  5. Use the design thinking model, listen to what your audience wants from compliance.
  6. Learn from your mistakes and move forward incorporating the lessons learned into the next iteration.

We conclude our 5-part series on the intersection of Star Wars and compliance by looking at the only stand-alone entry in the Star War series, Rogue One. This movie tells the tale of the spies who stole the schematics from the original Death Star and transmitted it to Princess Leia and thereby the Rebel Alliance. Rogue Oneis the first film in the Star Wars Anthology series, a series of stand-alone spin-off films in the Star Wars franchise. It is not clear where the name of the movie came from; although my personal nomination is that in the attack led by Luke on the original Death Star, his squadron was Rogue Two so the movie title is a tribute to those Rebel Alliance X-wing fighters and their pilots. It informs the myth of the rogue employee.

As long as 24 years ago, Lynn S. Paine wrote about the myth of the rogue employee in the Harvard Business Review (HBR), in an article entitled “Managing for Organizational Integrity. In this article she wrote, “executives are quick to describe any wrongdoing as an isolated incident, the work of a rogue employee. The thought that the company could bear any responsibility for an individual’s misdeeds never enters their minds. Ethics, after all, has nothing to do with management. In fact, ethics has everything to do with management.” How prescient she was in her article.

For it is management who sets the tone throughout the organization, whether that is something along the lines of a wink and a nod towards ethics and compliance or the more ubiquitous miss your numbers for two quarters and you will be history, Paine noted, “More typically, unethical business practice involves the tacit, if not explicit, cooperation of others and reflects the values, attitudes, beliefs, language, and behavioral patterns that define an organization’s operating culture. Ethics, then, is as much an organizational as a personal issue.”

However, a company’s responsibility is more than simply to set the right tone then sit back and do nothing. The drafters of the Foreign Corrupt Practices Act (FCPA) recognized this when they included the requirement for internal controls to be included in the law. For, as Paine said, “Managers who fail to provide proper leadership and to institute systems that facilitate ethical conduct share responsibility with those who conceive, execute, and knowingly benefit from corporate misdeeds.”


Yet the myth of the rogue employee is more than a simple myth. It is also a dangerous myth. It is dangerous because it excuses negligent or intentional corporate behavior. Mike Volkov, in a blog post entitled “The Myth of the Rogue Employee, noted that illegal conduct such as that under the FCPA does not occur “in a vacuum.” He explained “There are other employees with whom the person interacts, there are financial controls in place to protect against such misconduct, there are reporting mechanisms for employees to report suspicious activity, and there is likely to be someone in the organization who is close enough to the bad actor, or responsible for the conduct of the bad actor, and who suspected or should have suspected that the actor was engaged in misconduct.” Moreover, the more sophisticated the scheme, the more actors are involved and the more controls are overridden or disregarded as he explained, “As the misconduct becomes more complicated, like in the case of bribery or antitrust violations, where such schemes require additional actors or raise red flags or where others are in a position to know or suspect that misconduct may have occurred”.

The three basic tenets of a best practices compliance program are to prevent, detect and remedy. By claiming employees who engage in bribery and corruption have ‘gone rogue’; companies are attempting to divest themselves of responsibility for actions from which they benefit, particularly if the bribery and corruption generated business sales and revenue.

We hope you have enjoyed our five-part podcast series on the intersection of Star Wars and compliance as much as we enjoyed producing it. Always remember the storytelling component of compliance. Reciting rules, regulations, policies and procedures is the way to engage effectively in compliance.

During this week, I have been considering last week’s Department of Justice (DOJ) and Securities and Exchange Commission (SEC) pronouncements about where 2018 Foreign Corrupt Practices Act (FCPA) enforcements have been and where the FCPA may be going in the future. We were treated to a speech by Deputy Attorney General Rod Rosenstein, who delivered a keynoteaddress to the conference the same week as ACI. The speeches and remarks provided solid information for the compliance practitioner going forward into 2019. I had intended to have a three-part blog series on these remarks but as usual I got carried away and so in this post I will review Rosenstein’s speech and his modification to the Yates Memo. In Monday’s post, tie it all together for what it means for the compliance profession and how a Chief Compliance Officer (CCO) or compliance practitioner can use the information going forward.

But before I do so, I want to say a few words in tribute to George Hebert Walker Bush who died last Friday night here in Houston. He was buried in College Station yesterday next to his beloved wife, Barbara. I know they are now together again in heaven. He was the last of the Greatest Generation to serve as President. His administration was the culmination of nearly 40 years of American homogeny which led to the downfall of the Soviet Union. That final point would be enough for any political legacy. Yet his legacy was much more than that seminal event.

Born into immense family wealth, he enlisted in the US Navy on his 18thbirthday serving during World War II (WWII). After the war, he attended Yale University where he played baseball, after graduation he went into the oil business, first in Midland, Texas and then moving to Houston. In the 1960s he went into public service. He was a Congressman, representing west Houston. After Congress, he served as Ambassador to the United Nations, Chairman of the Republican National Committee, Envoy to China and Director of the Central Intelligence Agency. He ran for President in 1980 and when Ronald Reagan become the GOP nominee, he asked Bush to serve as his Vice-President which he did for eight years. Bush ascended to the Presidency in 1988 for one term.

On the foreign affairs front, Bush oversaw the end of the Soviet Union. He did so in a manner which did not humiliate America’s former rival. Bush also successfully prosecuted the First Gulf War, after Iraqi President Saddam Hussain invaded Kuwait. Bush led a grand coalition which expelled the Iraqi’s from Kuwait without invading Iraq or toppling Hussain. Unfortunately his son did not learn much from that success.

However it was one domestic matter that, of the political acts Bush engaged in, was the most powerful for me and said more about the character of the man. It was his vote for passage of the Fair Houston Act of 1968, which prohibited discrimination in housing. To say that this vote went against the wishes of the majority of voters in his district is a very large understatement. Yet Bush met his constituent’s head on. Bush’s son Neil said of one angry town hall meeting, “His constituents were, many of them were irate and so he addressed the crowd at a particular gathering that we all attended. And he did it with such dignity, and I just will never forget how proud I was.”

Rosenstein began with a personal example of the invidiousness of corruption. He stated, “I visited the nation of Armenia in 1994, just as it was emerging from seven decades of Soviet domination. I gave a talk about public corruption at the University of Yerevan. After I finished, a student raised his hand. He asked me, “If you cannot pay bribes in America, how do you get electricity?” It was a pragmatic question that illustrated how that young man had learned to think about his society.  Corruption may start small, but it tends to spread like an infection. It stifles innovation, fuels inefficiency, and inculcates distrust of government.”

From there he moved to the international efforts to fight bribery and corruption. He said, “Many of our cases require extensive coordination with domestic and foreign law enforcement partners.  Three recent corporate resolutions involved collaboration with the Securities and Exchange Commission. Those settlements resulted from coordinated dispositions consistent with the policy against “piling on” that we announced in May. Under that new policy, Department components work jointly with other enforcement agencies with overlapping jurisdiction. Our goal is to enhance relationships with law enforcement partners in the United States and abroad, and avoid duplicative penalties. It is important to punish wrongdoers. But we should discourage the sort of disproportionate and inefficient enforcement that can result if multiple authorities repeatedly pursue the same violator for the same misconduct.”

Rosenstein concluded by announcing a modification of the Yates Memo. The change will probably not be significant going forward for the compliance professional. Nevertheless, the minor change and none other demonstrates the DOJ’s commitment to the principals underlying it as articulated by Rosenstein last year when he announced the new FCPA Corporate Enforcement Policy. The Yates Memo had required companies to fully investigate and turn over to the government information on all employees who might be involved in bribery and corruption violating the FPCA. The revision is designed to make “clear that any company seeking cooperation credit in criminal cases must identify every individual who was substantially involvedin or responsiblefor the criminal conduct.” [emphasis supplied] This change was made so that “investigations should not be delayed merely to collect information about individuals whose involvement was not substantial, and who are not likely to be prosecuted. We want to focus on the individuals who play significant roles in setting a company on a course of criminal conduct. We want to know who authorized the misconduct, and what they knew about it.”

Now companies must focus their efforts on those who were substantially involved or substantially responsible. In practice this may not seem like much of a change, but it does remove the requirement that each and every person who participated be investigated before a company can conclude a FCPA enforcement matter. Taken together with the FCPA Corporate Enforcement Polic y, it should be a continued welcome for the compliance profession, allowing a more focused investigation and hopefully quicker overall resolution.

Next Monday I will consider what it all means. 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2018