Questions 2I continue my exploration of recent enforcement matters and issues by turning to the Johnson Controls, Inc. (JCI) Foreign Corrupt Practices Act (FCPA) enforcement action, which was announced last week. Mike Volkov has called the enforcement action a “head scratcher”. Whether you agree with Volkov’s analysis or not, the case has several significant points for the Chief Compliance Officer (CCO) or compliance practitioner, which I will review today.

The matter was settled via a Cease and Desist Order (Order) from the Securities and Exchange Commission (SEC) and a Declination issued by the Department of Justice (DOJ). For its penalty, JCI accepted over $11.8 million in profits as a result of approximately $4.9 million in improper payments made by China Marine. JCI agreed to disgorge these profits, pay pre-judgment interest of $1,382,561 and a civil penalty of $1,180,000 for a total amount of $14,362,561.

The underlying facts are about as sordid as they can be for a corporate enforcement action. JCI obtained the Chinese unit, China Marine, through its purchase of York International (York) in 2005. In 2007, York paid $22 million to the DOJ and SEC to resolve FCPA offenses in China and other countries that occurred between 2001 and 2006.  York agreed to a three-year independent compliance monitor. JCI, for its part, terminated those involved in China Marine’s illegal conduct after it acquired York.

JCI installed its own Managing Director and limited China Marine’s use of third party sales agents. However, as stated in the Order, “From 2007 to 2013, the managing director of China Marine, with the aid of approximately eighteen China Marine employees in three China Marine offices, continued the bribery and theft that began under his predecessor by using vendors instead of agents to facilitate the improper payments. The improper payments were made to employees of government-owned shipyards as well as ship-owners and unknown persons”.

The bribery scheme was quite sophisticated. It involved, “a multi-stepped arrangement that required the complicity of nearly the entire China Marine office from the managing director, to the sales managers, the procurement managers and finally to the finance manager. The managing director aided or at times approved requests for the addition of certain vendors to the vendor master file without disclosing that certain sales managers had ownership or beneficial interest in the vendors. After the managing director’s approval, sales managers added bogus costs for parts and services to sales reports, which inflated the overall cost of the project, and generated purchase orders for the bogus parts and services. The procurement manager knowingly approved the purchase orders.” The scheme even included the vendors themselves who “created fake order confirmations for the unnecessary parts and services and submitted invoices for payments.” To complete the circle, the China Marine finance manager would authorize the fraudulent payments.

In what can only be called a complete, total and utter failure of JCI’s internal controls, company auditors could not understand the China Marine transactions. Further, and with even more evidence of the lack of effective internal controls, many of China Marine’s transactions were deemed non-material so they were at a level below that which would trigger a review of corporate oversight from JCI’s Denmark office, which oversaw the China Marine business unit. The Order noted that the average vendor payment in the bribery scheme “was approximately $3,400” but the total amount of bribes paid was $4.9MM. One might reasonably wonder if JCI understood there was no materiality threshold under the FCPA. One might also ask if there was conscious indifference by the JCI corporate office.

For the CCO or compliance practitioner there are several important lessons to be garnered from this enforcement action. First is the absolute requirement for effective internal controls to be put in place. If your company does not understand the transactions that any subsidiary engages in, you have put your company at serious risk. For if a company’s internal auditors cannot understand a series of transactions, they you certainly cannot explain them to an auditor. Further, under Sarbanes-Oxley (SOX) §404, a company must not only acknowledge its responsibility for establishing and maintaining a system of internal controls and procedures for financial reporting and an assessment, but also report on the effectiveness of the company’s internal controls.

Karen Cascini and Alan DelFavero, in an article entitled “An Assessment of the Impact of the Sarbanes-Oxley Act on the Investigation Violations of the Foreign Corrupt Practices Act”, said, “Section 404 “requires management to annually disclose its assessment of the firm’s internal control structure and procedures for financial reporting and include the corresponding opinions by the firm’s auditor”. More particularly, “while the FCPA required public companies to institute effective internal controls to stop the bribes and make executives accountable, SOX 404 goes further, but has similar goals.”

All of this might reasonably lead one to ask, who at the corporate headquarters certified the effectiveness of both the JCI and China Marine’s internal controls? Moreover, the Accounting Provisions of the FCPA also includes a section requiring accurate books and records. Clearly JCI was not too interested in verifying the accuracy of the books and records of its China Marine subsidiary.

More than this lack of compliance with both prongs of the FCPA Accounting Provisions, the lack of seeming awareness of enhanced risks is a confounding aspect of this case. China Marine was clearly identified as a high-risk business unit of both York and later JCI. Simply putting your self-appointed Managing Director in place is not enough. Any competent risk management system requires oversight, or as my wife would say ‘a second set of eyes’. This is why an effective compliance program requires ongoing monitoring. It is even truer when an entire business unit is high-risk.

Tomorrow I will continue my exploration of the JCI enforcement action by looking at the DOJ’s Declination, in conjunction with the Pilot Program.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Lessons LearnedToday I conclude my three-part series on the Nortek, Inc. (Nortek) and Akamai Technologies, Inc. (Akamai) Foreign Corrupt Practices Act (FCPA) enforcement actions. These enforcement actions resulted in excellent results for both companies in that they each received Non Prosecution Agreements (NPAs) from the Securities and Exchange Commission (SEC) and declinations to prosecute from the Department of Justice (DOJ). The more I have read and reread the resolution documents from both enforcement actions, the more I have come to believe they are hugely significant and need to be studied by each and every Chief Compliance Officer (CCO) and compliance practitioner whose company is subject to the FCPA. The reason is we may have well reached a turning point in FCPA enforcement and how companies evaluate potential FCPA claims and disclosure.

The reason I think we may have reached this stage is that previously, in the fact pattern presented by either Nortek or Akamai, a company may have well made the decision to investigate thoroughly, remediate effectively and then not self-disclose to the government. However these two enforcement actions, coupled with the Pilot Program, may well change this calculus. This begins with the length of time from initial discovery to self-disclosure to the final resolution announced last week.

These enforcement actions were resolved quickly and efficiently. Further, Nortek’s self-disclosure was based on the company’s 2014 audit that had identified potential issues in a routine audit of the China subsidiary. These concerns were elevated for a full FCPA forensic audit and that investigation provided the information for the self-disclosure. Akamai began its investigation after a whistleblower report in December 2014. Both cases then show a less than two-year period from initial discovery to conclusion. This speaks to the robust nature of their detect prongs; either through Nortek’s internal audit or Akamai’s whistleblower program and response.

As noted by the FCPA Blog, in a post entitled “Akamai, Nortek settle China bribe cases with SEC non-prosecution agreements”, Nortek self-disclosed this matter in January 2015 and Akamai self-disclosed to the government in February 2015 and both had resolutions in June, 2016. This is a very short reported time frame for resolution of a FCPA matter and hopefully it will be a harbinger of things to come in terms of the reduced time frame from self-disclosure to resolution. Further, the reported investigations costs were far below those usually seen in FCPA investigations and enforcement actions as Nortek reported approximately $3.1MM in “FCPA related costs”; which is significantly lower than most reported costs in such a matter.

With the stated credit available in the Pilot Program and now the language from the DOJ in its declination and from the SEC in the two NPAs, I think companies may now see the benefits of coming forward and self-disclosing. Any company that makes the decision to not self-disclose most probably investigated and remediated so those costs will be incurring under such a scenario. However, if companies see the benefit of such self-disclosure, both in terms of not only a positive result but also a quick and efficient process, I think the calculus will change. I would also note, the straight line from the Yates Memo to the hiring of the new DOJ Compliance Counsel, Hui Chen, to the Pilot Program may well need to be extended to these two enforcement actions to demonstrate the change in the DOJ enforcement strategy.

However, there is more to be learnt from these enforcement actions than simply the fact that it may now be better to self-disclose than to choose not to do so, after complete investigation and full remediation. There were nuts and bolts nuggets about what to look for in your internal investigations. Indeed there were a couple of compelling references made not often seen in FCPA investigations reports. First in the Akamai internal investigation, its NPA reported that as a part of the company investigation it provided to the government “analyses of customer usage versus purchased capacities”. This is the type of data analysis we rarely see discussed in FCPA compliance programs yet I believe can greatly assist a CCO in looking at a large amount of information to see what risks strategically need to be investigated. Yet typically how many compliance practitioners either make this type of analysis or even have the capability to do so? This is why data analytics can be of use to the CCO going forward and, indeed, may be one of the prime ways to help the compliance function in the detect prong. Moreover, if such an analysis is used proactively, as a monitoring tool on an ongoing basis, it could move the needle from detect to prevent. This is well worth considering as you think about your compliance budget and resources going forward.

The second investigative prong reference I found interesting was in Nortek’s investigation protocol that stated the company conducted “a risk assessment to determine whether the improper conduct at Linear China occurred at Nortek’s other manufacturing locations in China.” Note that the government did not say Nortek performed a full FCPA forensic audit at the company’s other manufacturing locations in China but only a risk assessment. If there was ever language which validates the concept that a company does not have to “boil the ocean” in the context of an internal FCPA investigation, I think this statement may be it. If you move forward with a thoughtful approach, that is a well-thought out process, in a step-by-step approach, you do not need to look everywhere for everything under every rock.

Next, a word about translations. I would have thought it was almost self-evident that in any FCPA investigation it would be mandatory to translate into English foreign language documents. However in both NPAs the SEC specifically stated that the respondents “voluntarily translating documents from Chinese into English”. I guess there are still companies out there that have not gotten the message that documents have to be translated into English. So call Mr. Translations, Jay Rosen, and he will explain to you how to accomplish this requirement.

You should use both of these NPAs as guideposts to benchmark your company’s compliance program as the DOJ and SEC favorably commented on the remediation steps that both entities engaged in. In other words there were lessons on the actual doing of compliance that are significant for the compliance professional.

From the Nortek NPA, it articulated the following steps the company took:

  1. Revising its internal audit testing and protocols to focus on quickly discovering any FCPA-related improprieties;
  2. Strengthening the company’s its anti-corruption policies;
  3. Developing a Compliance Committee consisting of representatives from management and subsidiaries to supervise compliance implementation of Nortek’s policies and training;
  4. Providing extensive mandatory in-person and on-line trainings on the FCPA and anti-corruption policies to its employees around the globe in appropriate languages (there’s that translations issues again); and
  5. Adjusting its internal audit schedules to prioritize facilities located in geographic areas known for higher incidences of corruption.

From the Akamai NPA, it articulated the following steps the company took:

  1. Implementing a comprehensive due diligence processes for channel partners, which included engaging an outside consultant to conduct channel partner risk assessments;
  2. Strengthening the company’s anticorruption policies;
  3. Implementing enhanced compliance monitoring functions and structures, such as naming a Chief Compliance Officer and staffing a global team of dedicated compliance professionals in Europe, the U.S., and Asia;
  4. Providing extensive mandatory in-person and on-line trainings on FCPA and anti-corruption policies to its employees around the globe in appropriate languages; and
  5. Enhancing the company’s travel and expense control requirements in China, including requiring more detailed expense descriptions and supporting documentation and appointing an independent function with Chinese language capability to review and approve expense claims.

I hope that you will study these NPAs and declinations closely to see what lessons you may find for your compliance program. I also hope they will be a harbinger for both DOJ and SEC enforcements to come, where companies not only receive credit for turning over information on individuals for the government to prosecute but for taking steps to engage in the doing of compliance and not simply having a paper compliance program in place. No matter what the reason for the timing of these settlement resolutions, they are a welcomed addition for the FCPA compliance practitioner.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

7K0A0223This week I have been exploring the Public Accounting Oversight Board (PCAOB) with Joe Howell, an Executive Vice President (EVP) with Workiva Inc. We have considered how some of the issues addressed by the PCAOB directly impact the Foreign Corrupt Practices Act (FCPA) compliance practitioner in ways that might not seem immediately self-evident. Today I will conclude my series with Howell by considering some of the costs for the failure of internal controls and how auditors, governed by the PCAOB, can help foster and facilitate a best practices compliance program.

There is no materiality standard under the FCPA. This is generally a different standard than internal auditors or accountants consider in a company. However Howell believes their approach is wrong based upon simply more than just a plain reading of the statute itself. This is because Howell feels it is not simply the materiality of the bribe, it may not even be the materiality of the contract that you receive because of the bribe. Howell’s view is that it is much broader as the materiality would be the entire cost that potentially the company could be liable for: pre-resolution investigation, an enforcement penalty and fine, and then post-settlement remediation or other costs.

Howell began by noting that a company must report contingent liabilities in its financial statements, if only in notes. Even if a company cannot estimate these costs, they must be described. A financial statement would be incomplete and actually wrong if they fail to describe a liability when you know that you have one. This means “If a company discovers that a bribe was paid and a fraud was perpetrated and that money was used to pay a bribe, they now know that they have some sort of liability, a cost that they’re going to have to recognize at some point, but they don’t know how much it is yet.”

Howell acknowledges there can be many reasons why a corporation would not want to put such a disclosure on the face of its financial statements; nevertheless, they do need to describe it in the financial statements in order to actually give the reader of the financial information the full picture that they are required to provide.

Any FCPA investigation is going to have a profound cost. If a company desires to take advantage of the new Department of Justice (DOJ) Pilot Program and self-disclose to the DOJ and Securities and Exchange Commission (SEC), it still may result in a risk of a fine, disgorgement of profits and other penalties. Howell added, “then monitoring at the backend and penalties and reputational risk. All of which go together to be material to the company. Even though the bribe was a little bribe, even though the fuse was a small fuse, the bomb is a big bomb. When you see a fuse, notice that it’s been lit, you have an obligation to report that. That’s material. It’s relevant to the reader of the financial statements. Because the fuse is small, you can’t say, I don’t have to report it.”

In an interesting insight for the Chief Compliance Officer (CCO) or compliance practitioner to consider, Howell said that even if you remediate but make the decision not to self-disclose that alone may be evidence that your books and records are not accurate. Take a minute to consider that from the SEC perspective. If your SOX 404 disclosure does not reflect any reportable FCPA incidents because you have remediated and made the decision not to self-disclose, that alone can be a violation of the FCPA.

While Howell believes that such contingencies will resolve themselves over time, he believes it is important to make that immediately available to readers of the financial statements. He went on to state that there are large numbers of diverse constituencies who depend on your accurate financial statements. These include, “your bankers, creditors, as well as your shareholders. You may have relationships that are contractual relationships with suppliers, customers that could be affected by this. You may have contracts with your employees that are affected by this. There may be contracts with other third parties that could be affected or impaired because of your violation of the FCPA, in one instance.”

I was intrigued by Howell’s inclusion of bankers and creditors relying on the accuracy of your financial statements. This is because it is not uncommon now that a loan document or a secondary financing would require a company to maintain an effective anti-bribery, corruption compliance program. I asked Howell if this is something an external auditor would evaluate and, if so, how would they go about evaluating such a loan covenant?

Howell said this could well be important because if such a loan clause were violated, that would be part of the corporate disclosure. Howell went on to note that if an auditor were to become aware that a fraud was “committed and that fraud resulted in resources being used to pay a bribe, the auditor then needs to take a hard look at all the disclosures about the contingencies. If they’re uncomfortable with that, they need to report themselves about what they think that the client may have missed. When fraud is discovered, they cannot keep silent. They have to report it.”

I concluded by asking Howell about the SEC Audit Standard No. 5: what it is and how it ties into the FCPA and the line through SOX all the way to Dodd-Frank. Howell said the precursor to Audit Standard No. 5 was Audit Standard No. 2 which specified what Howell called a bunch of ““thou shalt do” stuff that became very mechanical and it drove people’s costs up and it made people uncomfortable.”

This led to the adoption of Audit Standard No. 5 and a change to a more risk based focus using a principles-based audit standard. The SEC wanted to direct “auditors to those areas that present the highest risk, such as financial statement, closed processes, and controls designed to prevent fraud by management. It emphasizes that the auditor is not required to scope the audit to find deficiencies that don’t constitute material weaknesses.”

Howell believes that bribery and corruption are subsets of fraud and auditors are “required to always disclose fraud, even if it’s immaterial. If they find fraud, and even if the fraud is immaterial, it still means that it could be a failure in the controlled environment that means that they can no longer really rely on those controls. They have to do something else. What they would do is substantive testing, which that means then they would go back and start to look at everything. That’s prohibitively expensive. It takes an enormous amount of time and it results in audits that are not sustainable.”

This means one can then draw even a line to Audit Standard No. 5 and the risks that companies have doing business outside of the US under the FCPA as a risk that needs to be audited. Howell said this means you have to incorporate such an analysis into your FCPA compliance program because if you are doing business in high-risk countries which have a reputation for bribery as a way of doing business and you have operations there that rely on third parties that are securing contracts for you, you have an obligation to build a controlled environment which both prevents, to the best of your ability, mistakes from happening, bribes, and then if one were to happen, to be on the lookout for where that would most certainly and most likely show up.

Howell said this could be a variety of responses, including “transaction monitoring, surprise counts, sending in auditors to actually be part of that control environment to look for all the documentation. It is important to also have that sense of remediation. If you find it, what do you do with it? To whom do you report? What processes are in place? Are they working?”

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Lee and GrantToday we celebrate one of the most momentous anniversary’s in the history of the United States, for it was on this day in 1865, 150 years ago, that Confederate General Robert E. Lee surrendered his Army of Northern Virginia to Union Commanding General Ulysses S. Grant at Appomattox Courthouse, effectively ending the American Civil War. Fighting continued for several more weeks to come, however with Lee’s surrender the Civil War had, in all intents and purposes, ended.

Lee and his troops were forced to abandon the Confederate capital of Richmond, they were blocked from joining the surviving Confederate force in North Carolina, and were harassed and outrun by Union cavalry, who took 6,000 prisoners at Sayler’s Creek. With desertions mounting daily the Confederates were surrounded with no possibility of escape. On April 9, Lee sent a message to Grant announcing his willingness to surrender and in the afternoon they met at the home of Wilmer McLean and agreed to the terms of surrender.

Although politicians would later change these terms quite dramatically, Grant is said to have told his officers, “The war is over. The Rebels are our countrymen again.”

Later this month, from April 28-30, Hanson Wade is putting on its annual conference in Houston. It is the “Oil and Gas Supply Chain Compliance” conference, now in its 5th year, and once again the list of speakers is simply stunning. It includes the following Chief Compliance Officers (CCOs) and senior compliance folks: Dan Chapman, Cameron; Brian Moffatt, Ethos Energy, Jay Martin, Baker Hughes; Marcel De Chermont, Acteon Group, Jan Farley, Dresser-Rand; John Sardar, Noble Energy and a host of other luminaries in the field of Foreign Corrupt Practices Act (FCPA) compliance. Even if you live outside of Houston, the FCPA compliance talent at this event will rival any other event in the US and for such an event not held in Washington DC or New York City, it is simply outstanding.

Some of the panels and topics for discussion include: Applying Culturally Sensitive Approaches To Deliver A Core Compliance Methodology For A Variety Of Countries And Risks; How to Meaningfully Engage Your Business Operations in Taking Greater Compliance Ownership; Avoid The Risk Of Cavalier Behaviour Across The Supply Chain In The Face Of A Challenging Economic Climate; How To Deliver Cost-Effective, Risk Based, Function Specific Compliance Training; several in-depth presentations on Supply Chain and Third Party due diligence. These are but some of the sessions and there are many other excellent panels, sessions and speakers which I have not mentioned.

Recently the Event’s Chairperson, Dan Chapman, Vice President, Chief Ethics and Compliance Officer for Cameron, talked about some of the issues that will be discussed in this year’s conference. Chapman said, “Supply chain is, in my mind, a critical part of compliance and creating awareness throughout the business as to when and where you should apply compliance principles is a key focus. For me the industry has evolved in recent years, and our organizations tend to now have strong legal teams who understand anti-bribery and corruption legislation. Not only this, they now have the ‘tone from the top’. Where I feel that work needs to be done is practically embedding compliance into operational processes, and becoming a true and valuable partner to the business. With the current state of the oil price, we’re likely set for reduced budgets and increased risk, which makes it more important now than ever to share stories, materials and solutions to effectively mitigate compliance risk while enabling business delivery.”

I will be speaking at the conference on internal controls but I am extremely pleased to be co-leading an in-depth workshop on the third day of the event, with Joe Oringel, guest blogger and Managing Director at VisualRisk IQ. In our workshop, you will learn how to implement a system of data-driven monitoring controls and documents to measure the effectiveness of your compliance program and get you through a Securities and Exchange Commission (SEC) investigation. During our 3 hour session we will go into the weeds on the following:

  • Understanding what internal controls are required under a best practices compliance program;
  • Recognizing what FCPA enforcement actions tell us about internal controls in an anti-corruption compliance program;
  • Getting to grips with what the SEC expects you to have in place;
  • Competently documenting the effectiveness of your internal controls;
  • Understanding best practices and a methodology for the use of data analytics in compliance and ethics organization;
  • Prioritizing business and compliance questions that can be answered with analysis of digital data; and
  • Identifying a learning plan and resources to enhance your team’s data analytics expertise

I hope that you can attend this most excellent FCPA conference with the two-day sessions on April 28 and 29 and the workshop day on April 30. Very few FCPA conferences focus on Supply Chain and the information that you will receive at this one will be first rate. Finally, Hanson Wade has allowed me to offer a 20% discount to readers of my blog. You can obtain it by entering the code TFLaw20 when you register online. For the conference brochure and full details regarding the agenda and registration, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015