This week I am engaging in a week-long series on how a Chief Compliance Officer (CCO) or compliance practitioner might think about operationalizing a compliance program with other corporate functions and disciplines. I am joined in this exploration by Russ Berland, a well-known compliance commentator and practitioner who recently joined Dematic Inc., a Supply Chain optimization company, as it CCO. Today I want to demonstrate how the Internal Audit (IA) function can be used to more fully operationalize compliance.

The Department of Justice (DOJ) clearly feels IA is an important mechanism for compliance to use to operationalize compliance. In its Evaluation of Corporate Compliance Programs (Evaluation), Prong 9 it asks the following questions: “Internal Audit What types of audits would have identified issues relevant to the misconduct? Did those audits occur and what were the findings? What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis? How have management and the board followed up? How often has internal audit generally conducted assessments in high-risk areas?”

According to the Institute of Internal Auditors, IA “is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” Some of the key compliance activities of IA are to maintain its independence; to conduct auditing activity of awareness and adherence to policies, procedures, internal controls and corporate governance, including those relating to legal, compliance and ethics risks; to ensure there is follow up of recommendations made in IA reports, including those relating to compliance and ethics risks, including to track and report on management follow up; assist and collaborate on internal investigations, including having IA provide audit expertise in dealing with internal controls and financial data; assist in both design and auditing of internal controls and follow up as required. Clearly this is function which is and should be integrated into compliance.

Berland noted that IA is doing compliance “all the time” as it acts as the watchdog for a company in a variety of areas. IA could be looking at what steps are being taken to comply with HR policies, what steps are being taken to comply with various compliance requirements or policies and procedures. In performing such audits, IA could look at the questions of whether the employees are aware of standards of business conduct; whether they aware of the anti-corruption policies; what controls are in place; and whether they are effective in the implementation locally.

It should be apparent there are numerous benefits to compliance having closer and more robust integration with IA. Some of the more obvious ones include some of the topics I have previously explored this week such as leveraging compliance and ethics resources, strong investigation resources to explore risk and internal controls issue, broad awareness of compliance risks as they relate to the process or audit issues, an overall strengthening of the IA network throughout the company. Another area is through the leveraging of joint vendor resources that would be available to both, such as professional development, forensic accounting and other professional consultants, having ethics and compliance insights when recommending or making recommendations that are derived from internal audits.

One area which IA brings insight to that is critical to compliance but not well understood by compliance practitioners, particularly those with a legal background, is in internal controls, which form the very backbone of a best practices compliance program. Indeed, the Evaluation, Prong 4 asks the following, “Gatekeepers Has there been clear guidance and/or training for the key gatekeepers (e.g., the persons who issue payments or review approvals) in the control processes relevant to the misconduct? What has been the process for them to raise concerns?”

When an audit around controls is performed at the country, region, or business unit level, there should be coordination between compliance and IA on the audit plan. By doing so, it allows compliance to impart the need to determine how the internal controls, their design and effectiveness might impact issues around bribery and corruption under the Foreign Corrupt Practices Act (FCPA). Of course, ancillary compliance topics such as money laundering, trade sanctions, data privacy and data security can also be seamlessly considered by IA so an audit plan is as strong as possible given the time and resources available to pursue the audit.

From the compliance aspects, IA is “really kind of the watchdog or monitoring facility for the entire company”. This dovetails explicitly into this ‘gatekeeper’ function. Additionally and depending on the risk profile of the company and the way in which the audit schedule is set, IA can assist to operationalize compliance in other ways. For instance, IA could be looking at what steps are being taken to comply with HR policies, what steps are being taken to comply with various legal requirements or compliance requirements. Berland noted, “I have certainly seen numerous opportunities, or numerous instances where internal audit in doing a country audit in a country in Europe, would make some of the following inquiries: “Are these people aware of standards of business conduct?; Are they aware of the anti-corruption policies; and What controls are in place and are those effective in the implementation locally?”” Depending on the answers to these audit inquiries, compliance or better yet, compliance in conjuction with audit and HR could develop a remediation plan.

With such integration both groups benefit. IA can perform stronger investigations around to enterprise risks and internal controls issues, through a broader awareness of compliance risks which might occur related to audit issues or audit processes.  Such integration can work to strengthen IA’s network throughout company, leverage joint vendor resources such as professional development, internal controls, forensic accounting and other consultants and provide additional compliance insights when making recommendations following internal audits.

For its part, the compliance function can leverage IA resources and professionals, on audit techniques and analysis of internal controls. Equally such integration extends the corporate compliance influence through the company’s IA network using existing IA resources such as ACL and other ERP systems and IT query systems. Finally, it allows the corporate compliance function to be made aware of relevant concerns uncovered during audits so compliance is more fully able to participate in recommendations and follow up.

Tomorrow I will conclude this week long series with a look at operationalization of compliance through the corporate Controller’s Office.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

Today we honor folk-rocker Donovan and his signature song Sunshine Superman, which was profiled in the Wall Street Journal (WSJ) column Anatomy of a Song. The song was a love paean by the singer to “Linda Lawrence, his love interest, the song was recorded in December 1965 and released in July ’66, climbing to #1 in September.” When she first heard the song, while living in Los Angeles she “was home with my best friend Cathy when “Sunshine Superman” came on the radio. At the end, Cathy just looked at me, “Oh my God,” she said, “he still loves you.”” The fairy tale came true in 1971 when they were married.

Yet it was not the romantic angle on the song that intrigued me but the production. Donovan had written it for an acoustic guitar. His producer wanted a more mystic feel so he brought in “Tony Carr’s conga, Spike on acoustic bass and John Paul Jones on electric bass.” Even more amazingly he added a Jimmy Page electric guitar solo later so as Donovan noted, he had one-half of Led Zepplin on his song. It was this interconnectedness in the song’s production which caught my eye and introduces today’s look at the Wells Fargo Independent Directors of the Board of Wells Fargo & Company Sales Practices Investigation Report issued Monday. As I noted yesterday, there are multiple lessons to be garnered by the compliance practitioner from this matter. Today I want to turn to the corporate disciplines of Human Resources (HR), Internal Investigations and Audit as control function failures. I will save my special wrath for the law department and corporate risk management for Thursday.

Donovan’s Sunshine Superman leads as the demonstrative example of the interconnectedness of the Wells Fargo control failures. For the bank, it all started with the decentralized nature of the business units and the control functions which grew up to provide the support for them. The fraudulent conduct engaged in by Wells Fargo was euphemistically called “sales integrity” by the bank and that language was carried over into the investigative report. This decentralized nature did not allow HR to have visibility into the scope and nature of the fraud. This was despite the fact, “Almost all sales integrity cases and issues touched upon some facet of the HR function, including with respect to employee terminations, hiring, training, coaching, discipline, incentive compensation, performance management, turnover, morale, work environment, claims and litigations.” Yet, even within the HR function there was no effort to track or report on the fraud issues.

The second general issue was the deference given to the business units. Of course, the Community Bank unit was making tons of profit for the company but I am sure that had nothing to do with the fact the entire company seemed to employ an ostrich as its symbol. But it was even worse, as the Report noted, “This culture of deference was particularly powerful in this instance since Tolstedt was respected for her historical success at the Community Bank, was perceived to have strong support from the CEO and was notoriously resistant to outside intervention and oversight.”

Finally, was the ‘transactional’ approach to each issue around the fraud. Every control function managed to focus “on the specific employee complaint or individual lawsuit that was before them, missing opportunities to put them together in a way that might have revealed sales practice problems to be more significant and systemic than was appreciated.” The Report specified that HR had all the relevant information but failed to connect the dots. More pointedly, you cannot connect the dots if you are not looking to do so.

The problem at HR was two-fold. The first was that corporate HR had no oversight into problems of sales fraud because it had no oversight into the business unit. The Report stated that Community Bank “was not accustomed to involving Corporate HR in its discussions and decisions and was generally protective and defensive in keeping control of HR-related activities within the line of business.” The business unit controlled or cowed the Community Bank HR, even though the business unit HR was well aware of the sales fraud issues, from as far back as 2002 and “participated in efforts to stem the sales practices.” Yet during this entire period they never had the authority or resolve to do anything.

Internal Investigations was also aware of the sales fraud, apparently as far back as 2002. At least Internal Audit (IA) was not cowed by its reporting to the business unit. IA reported to various corporate functions including Audit, corporate HR and corporate Risk. Rather amazingly in 2004, “Internal Investigations was involved in the work of a sales integrity investigations task force, which also included representatives of Community Bank HR, Community Bank management and the Law

Department.” Internal Investigations called termed the fraudulent sales practices “gaming” and they prepared a report around their findings. The Internal Investigations report pointed to unrealistic sales goals and that employees felt they could not meet the goals without gaming the system. Presciently, the report “warned of the reputational risks for Wells Fargo, specifically, “[i]f customers believe that Wells Fargo team members are not conducting business in an appropriate and ethical manner, it will result in loss of business and can lead to diminished reputation in the community.”” Recall this Internal Investigations report was issued in 2004.

The report also specified there was an “incentive to cheat based on the fear of losing their jobs for not meeting performance expectations.” Internal Investigations also identified another data point which was disregarding. Demonstrating how the bank viewed terminated and departed employees, the company actively fought ex-employee attempts to obtain state of California employment benefits. The Internal Investigations report stated, “Wells Fargo had been losing unemployment insurance cases involving sales integrity terminations, in which judges “made disparaging comments” about the sales incentive system.” Finally, the report even benchmarked competitors which “significantly reduced their sales incentive employee terminations after revising their sales incentive programs.” The report ended by recommending “that Wells Fargo consider similarly reducing or eliminating sales goals for employees and removing the threat of employee termination if goals were not met.”

Internal Investigations did not fail as a control but when their report was forwarded to the then head of the unit, the Chief Auditor, he buried it. While he did report raw numbers to more senior management, he did not include any information on the root cause of the problem. Think about this final point in the context of the Department of Justice’s (DOJ) recently released Evaluation of Corporate Compliance Programs and its emphasis on root cause analyses.

IA comes in for discussion as this corporate function was (1) well aware of the problem, (2) did not believe it to be “an urgent problem” requiring IA to do anything, and most amazingly (3) thought the internal controls in place were working as they were turning up problems which were not the problem of IA to address. IA viewed controls as detect only, not to prevent or provide data to remediate.

The Report stated, “Audit witnesses also said that, as the third line of defense, Audit’s job was to ensure that the control environment established by the first (business) and second (Risk) lines of defense was appropriate. Audit personnel indicated that their focus was on testing the operation of specific processes and the processes’ effectiveness at managing the risks they were designed to control, but that they did not generally investigate root causes of risks; according to the witnesses, that task rests with the business, which they said has greater familiarity with the risk environment, better access to operational data and both proximity to and responsibility for its employees’ actions.”

If it seems like the inmates were running the asylum, remember those folks over in the Community Bank business unit were making money hand over fist for the bank. But the Report also demonstrates the interconnectedness of not only the sales fraud but its actual knowledge by multiple corporate functions with Wells Fargo. As none of these functions took responsibility for doing anything it appears the true culture of the bank was NMP as in Not My Problem. 

To listen to a YouTube version of Donovan signing Sunshine Superman, click here.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

In this episode Matt Kelly and myself take a deep dive into SOX 404(b), what it requires and how companies comply with the reporting requirements set out in this statute. We consider the recent announcements from Congressman Jeb Hensarling to amend this section to exempt companies under the $500MM who wish to go public from its reporting requirements. We consider the corporate and audit response currently in place for 404(b) and how this response is now well embedded in not only corporate controls but also in reporting. We discuss the importance of internal controls over the time frame since the enactment of SOX and how any change may not be well received by institutional investors and private equity funders.

For a more detailed discussion, see Matt’s blog post entitled, “Tale of Sound & Fury: The 404(b) Debate”.

In this episode I visit with WSJ MarketWatch reporter Francine McKenna on the recently concluded Taylor Bean litigation against PwC and what it might mean for the Big 3 going forward.

oscar-meyer-wienerLast week a true American original died when Richard Trentlage passed away. If you do not know his name you certainly know signature contribution to American culture, the Oscar Meyer Weiner Song. Rather amazingly Trentlage wrote the jingle in response to a contest sponsored by the Oscar Meyer Wiener Company for a new theme in 1962 and did so in an hour. According to his  obituary in the New York Times the song “debuted in 1962 a3 and became the company’s signature advertising tune in 21 English speaking countries until 2010.” Moreover the “song became a part of the fabric of American culture, with airings on the children’s television show ‘Captain Kangaroo’, on the cartoon ‘The Jetsons’ and on an episode of the ‘The Simpsons’ in 1990. The song and its writer were true American originals.

Another original was in the news last week when the UK pharmaceutical giant GlaxoSmithKline PLC resolved its outstanding Foreign Corrupt Practices Act (FCPA) issues with its settlement with the Securities and Exchange Commission (SEC) by agreeing to pay $20 million civil penalty when China-based subsidiaries spent millions of dollars on pay-to-prescribe schemes for several years to pump up sales. Even more amazingly the company received a declination from the Department of Justice. I say even more amazingly because at the time of the conduct at issue, GSK was under a Corporate Integrity Agreement, the pharma equivalent of a Deferred Prosecution Agreement. The CIA required GSK not only to obey laws (and to pay bribes) but have a functioning compliance program in place, which the company obviously did not give one whit about, at least in China.

For those who have long forgotten our friends over at GSK (hum the Oscar Meyer Wiener theme now) they were four or five major corruption scandals ago, way back in the summer of 2013 when news broke that the Chinese  government had accused the company of five years of institutional bribery and corruption. Senior GSK business unit leaders were arrested and GSK claimed to be shocked, just shocked that anyone would accuse it of bribery and corruption, especially after just paying the US government $3bn for false labeling products. Yet the corruption continued even after being reported by an anonymous whistleblower (cleverly monikered GSK Whistleblower) the company was not able to turn up any indicia of bribery and corruption in its China business in six months of looking.

As lightly as GSK apparently took these allegations, the Chinese authorities took them very seriously and in a few months of investigation turned up the massive and pervasive bribery scheme. They put numerous senior GSK China employees under house arrest and even managed to illicit a confession or two on public television.

All of this led to a secret trial in August 2014 where the company was fined approximately $490MM and the four top executives of GSK China were convicted. The non-Chinese citizens were deported. There was even a sex tape aspect to the matter but it was somewhat tangential to the case and (apparently) not a part of the SEC enforcement action. Most interestingly the SEC Order did not mention the fine paid in China and it is not part of the Order, although surely the SEC took it into account. At least I hope so.

Yet the SEC enforcement was not without some interest. The Order noted, “Between at least 2010 and June 2013, employees and agents of GSK’s China-based subsidiary and a China-based joint-venture engaged in various transactions and schemes to provide things of value to foreign officials, including healthcare professionals (“HCPs”), in order to improperly influence them and increase sales of GSK products in China.  This misconduct was facilitated in part by the use of collusive third parties that ostensibly provided legitimate travel and other services. The funds used for the improper inducements were frequently obtained under the guise of, and falsely recorded in GSK’s books and records as, legitimate travel and entertainment expense, marketing expense, speaker payments, medical associations payments, and promotion expense. Throughout this period GSK failed to devise and maintain a sufficient system of internal accounting controls and lacked an effective anticorruption compliance program. The deficiencies in GSK’s internal accounting controls and compliance program also led to instances of similar improper conduct in connection with sales in other countries in which GSK operates.”

Yet we learned more in the SEC Order about GSK China’s bribery scheme. One emphasis was the China business unit wide pervasiveness of the corruption. The Order noted that bribes were actually written into sale plans for the company, stating, “a 2013 work plan submitted by a sales representative to a regional sales manager described the intent to pay, among other things, an HCP RMB 20/box of prescribed product every month, and deliver appropriate gifts on each holiday in exchange for a guarantee of more than 40 boxes of prescribed product every month.”

There was also some attempt to investigate the conduct of the China business unit but they all failed uncover the systemic bribery of GSK China. One set of investigations noted, “During this period, local internal audit and compliance reviews identified controls deficiencies and evidence of some mechanisms that were used to fund the improper payments, but they were treated as isolated instances rather than signs of a larger problem.”

Even more damning was the following, “As early as 2010, internal audit identified problems related to sales and promotions staff practices in China. Among other findings it noted: [d]uring 2010, several new policies governing commercial activities such as grants and donations and sponsorships were introduced. The significant changes, combined with the high staff turnover, contribute to an environment where many commercial and medical staff do not understand how to apply policies or the rationale behind them. This was evidenced by approval of non-compliant activities, a lack of clarity on which policy to apply for activities such as grants, and weaknesses in documentation to support the legitimate intent of activities such as advisory.”

One wonders whether the internal audit staff was simply not competent to properly identify the bribery and corruption or if they simply knew not to look with any more depth or seeing their findings as “signs of a larger problem.” However given the finality of these resolutions with the SEC and DOJ, it is doubtful there will be any further investigations going forward as to GSK’s China issues.

Nevertheless the matter continues to present multiple lessons to be learned for the compliance practitioner. Assuming one wants to actually find nefarious conduct, stop it and then remediate it, GSK in China presents several lessons on what to look for and how to move forward. The SEC Order also re-emphasizes the bribery schemes used by the company. What the SEC Order and DOJ declination may ultimately symbolize is the end of a long and sordid affair for the company.

One might also consider the damage the scandal did to the parent company and the legacy of the soon-to-retire chief executive Sir Andrew Witty. While the scandal did not reach either the corporate parent in England and certainly not Sir Andrew, the $490MM fine in China and the $20MM fine in the US, pale beside the true cost to GSK, which was its sales targets in China. GSK had targeted the over $30 bn Chinese medical product and services market to be 20% of GSK total revenue by 2020. That strategy is now in tatters as the Chinese prosecution made GSK a non-entity in the Chinese health care market. Any transaction involving GSK involving a Chinese health care provider, invites government scrutiny. It is far easier for health care providers to purchase pharmaceuticals, health care products and medical services from companies which have not gone through such a prosecution.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016