SECThe Foreign Corrupt Practices Act (FCPA) enforcement journey, which began last summer with the guilty plea of Vicente Garcia for the payment of bribes to obtain contracts in Panama for his employer, SAP International, ended this week with the release of the Securities and Exchange Commission (SEC) civil action against the parent of SAP International, SAP SE, a German company. The case was concluded via a Cease and Desist Order (the “Order”). The fine was a relatively small $3.7MM with prejudgment interest of another $188K.

The facts were straightforward, which Garcia had previously admitted to in his guilty plea and sentencing hearing last December. He circumvented SAP internal controls to create a slush fund from which to pay bribes. To do so, he had to actively evade an internal compliance system that had stopped him from hiring a corrupt agent to facilitate the bribe payments. Frustrated by the success of the SAP compliance function to stop his initial bribery scheme, he then turned to using a previously approved distributor to facilitate the payment. He did so through giving this distributor an extra ordinary discount. The corrupt distributor then sold the SAP products to the Panamanian government at full price and used the price difference to fund the bribes to the corrupt government officials. This led to a $14.5MM sale to the distributor with $3.7MM in profits to SAP. Hence, the amount of profit disgorgement.

The bribery scheme is a clear lesson for any company that utilizes a distribution model in the sale chain. Bill Athanas, a partner in Waller Lansden Dortch & Davis LLP, has articulated a risk management technique for this type of bribery scheme, which he has called Distributor Authorization Request (DAR) and it provides a framework to help provide a business justification for any such discount, assess/manage and document any discount offered to a distributor. 

It begins with a DAR template, which is designed to capture the particulars of a given request and allows for an informed decision about whether it should be granted. Because the specifics of a particular DAR are critical to evaluating its legitimacy, it is expected that the employee submitting the DAR will provide details about how the request originated as well as an explanation in the business justification for the elevated discount. In addition, the DAR template should be designed so as to identify gaps in compliance that may otherwise go undetected.

The next step is that channels should be created to evaluate DARs. The precise structure of that system will depend on several factors, but ideally the goal should be to allow for tiered levels of approval. Athanas believes that three levels of approval are sufficient, but can be expanded or contracted as necessary. The key is the greater the discount contemplated, the more scrutiny the DAR should receive. The goal is to ensure that all DARs are vetted in an appropriately thorough fashion without negatively impacting the company’s ability to function efficiently.

Once the information gathering, review and approval processes are formulated, there must be a system in place to track, record and evaluate information relating to DARs, both approved and denied. The documentation of the total number of DARs allows companies to more accurately determine where and why discounts are increasing, whether the standard discount range should be raised or lowered, and gauge the level of commitment to compliance within the company. This information, in turn, leaves these companies better equipped to respond to government inquiries down the road.

Yet in addition to the DAR risk management technique advocated by Athanas is more robust transaction monitoring in your compliance program going forward. As noted in the Order, one of the remedial measures engaged in by SAP after the bribery and corruption was detected was that the company “audited all recent public sector Latin American transactions, regardless of Garcia’s involvement, to analyze partner profit margin data especially in comparison to discounts so that any trends could be spotted and high profit margin transactions could be identified for further investigation and review.”

This is the type of transaction monitoring which a Chief Compliance Officer (CCO) or compliance practitioner traditionally does not engage in on a pro-active basis. However this is clearly the direction that US regulators want to see companies moving towards as compliance programs evolve.

Here a couple of questions would seem relevant. What happened? and How do you know? In answering these questions, it is clearly important that there should be an understanding of the business cause of significant sales and that there could be other issues involved in the situation that may require consideration by the compliance practitioner. While a company would usually only consider an analysis of variations at the level at which the sales increase was material, this was not the path taken by SAP in their post-incident investigation. Moreover, such a sales increase would most probably be material for the Panama region and certainly for the employee in question.

Once the appropriate level is determined, direct questions should be asked and answered at that level. Explanations of a sales increase as being the result of the appointment of a new head of business development or a more aggressive sales manager should not simply be taken at face value. Questions such as what techniques were used; what was the marketing spend; how much was spent on discounts to distributors; etc., might help to get at the true underlying reason for a spike in sales. Further, a company should review its findings over subsequent periods for confirmation. So, for example, if a sales increase legitimately appears to be due to the efforts of a new person in the territory or region, is that same increase sustained in later periods? The answer to such a question might identify red flags indicating the need for further review.

A final lesson to be considered is when you have an employee like Garcia. Is he a rogue employee? Does rogue mean his behavior is only sociopathic so that he appears to operating within the rules? Or were there clear signs that greater scrutiny needed to put in place? What about his clear attempt to bring in a corrupt agent, at the last minute of a deal to facilitate it? This is a clear red flag and was not approved by SAP compliance. Does this put the company on notice that an employee is not only willing to go beyond the rules but also engage in illegal conduct down the road? How many passes does such an employee get before they are shown the door?

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Rubik's CubeIt is generally believed that the world’s single best selling toy is the Rubik’s Cube, invented in 1974 by the Hungarian Ernő Rubik. Although it was initially believed that Rubik’s Cube was built as a teaching tool to help his students understand 3D objects, the inventor has said his purpose was solving the structural problem of moving the parts independently without the entire mechanism falling apart. Further, even he did not realize he had created a puzzle until the first time he scrambled his new Cube and then tried to restore it. The cube made its international debut in 1980 and the rest, as they say, is history.

I thought about Rubik and his famous (and for me – very frustrating) Cube when I read a recent article in Adam Bryant’s New York Times (NYT) Corner Office column where he interviewed Liz Pearce, Chief Executive Officer (CEO) of LiquidPlanner, a project management software firm. Pearce said that leadership is like a Rubik’s Cube in that you have to put all the pieces together. I thought that was a very apt analogy for a Chief Compliance Officer (CCO) or compliance practitioner because there are so many moving parts in the job of any compliance professional.

Pearce said, “When you’re running a start-up, you have this finite set of resources, and you have this huge goal. So you look at all the angles, and twist things this way and that as you’re thinking, “What if we did it this way?”” But more than simply the technical side of a Rubik’s Cube analysis, Pearce also talked about the people part of the equation. She said, “And every new employee who comes in is like Christmas morning. What are they going to bring to the table? What do they know that can help us? How can we help them?”

This certainly comes into play when working with other corporate functions to assist in the doing of compliance in an organization. For instance, Human Resources (HR) can be a key asset in your compliance program. HR has several key areas of expertise, such as in discrimination and harassment. But beyond this expertise, HR also has direct accountability for these areas. It does not take a very long or large step to expand this expertise into assistance for compliance. HR often is on the front line for hotline intake and responses. These initial responses may include triage of the compliant and investigations. With some additional training, you can create a supplemental investigation team for the compliance department.

Clearly HR puts on training. By ‘training the trainers’ on compliance you may well create an additional training force for your compliance department. HR can also give compliance advice on the style and tone of training. This is where the things that might work and even be legally mandated in Texas may not work in other areas of the globe; advice can be of great assistance. But more than just putting on the training, HR often maintains employee records of training certifications, certifications to your company’s Code of Conduct and compliance requirements. This can be the document repository for the ‘Document, Document, and Document’ portion of your compliance program.

Internal Audit is another function that you may want to look at for assistance. Obviously, Internal Audit should have access to your company’s accounting systems. This can enable them to pull data for ongoing monitoring. This may allow you to move towards continuous controls monitoring, on an internal basis. Similarly, one of the areas of core competency of Internal Audit should also be internal controls. You can have Internal Audit assist in a gap analysis to understand what internal controls your company might be missing.

Just as this corporate function’s name implies, Internal Audit routinely performs internal audits of a company. You can use this routine job duty to assist compliance. There will be an existing audit schedule and you can provide some standard compliance issues to be included in each audit. Further, compliance risks can also be evaluated during this process. Similar to the audit function are investigations. With some additional training, Internal Audit should be able to assist the compliance function to carry out or participate in internal compliance investigations. Lastly, Internal Audit should be able to assist the compliance function to improve controls following investigations.

A corporate IT department has several functions that can assist compliance. First and foremost, IT controls IT equipment and access to data. This can help you to facilitate investigations by giving you (1) access to email and (2) access to databases within the company. Similar to the above functions, IT will be a policy owner as the subject matter expert (SME) so you can turn to them for any of your compliance program requirements, which may need a policy that touches on these areas. The final consideration for IT assistance is in the area of internal corporate communication. IT enables communications within a company. You can use IT to aid in your internal company intranet, online training, newsletters or the often mentioned ‘compliance reminders’ discussed in the Morgan Stanley Declination.

Finally, do not forget your business teams. You can embed a compliance champion in all divisions and functions around the company. You can take this a step further by placing a Facility Compliance Officer at every site or location where you might have a large facility or corporate presence. Such local assets can provide feedback for new policies to let you know if they do not they make sense. In some new environments, a policy may not work. If your company uses SAP and you make an acquisition of an entity that does not use this ERP system, your internal policy may need to be modified or amended. A business unit asset can also help to provide a push for training and communications to others similarly situated. One thing that local compliance champions can assist with is helping to set up and coordinate personnel for interviews of employees. This is an often over-looked function but it facilitates local coordination, which is always easier than from the corporate office.

Pearce also had another insight that is not often discussed. It is that as a CCO or even compliance professional, if not held to a higher standard, you are certainly watched more closely. As Pearce put it, “I’ve had light-bulb moments when I realized I have to be really thoughtful about what I ask for and how I ask for it, because people are watching and listening closely, and caring in a way that they didn’t when I didn’t have this title. That’s always been a little bit uncomfortable for me. I don’t have this grand image of myself. I’m just like everybody else.” Roy Snell and Donna Boehme are probably two of the leading advocates about how the CCO or compliance practitioner should carry himself or herself, not simply to do the right thing, but to stand as an advocate for telling the whole story. This is far different from the role of a corporate legal department or any other corporate department. Just as Pearce realized as a leader she had to be more thoughtful, I think as a compliance professional, you should be mindful of this as well.

When I initially went to an in-house legal position, I was amazed at the depth and quality of the challenge. You had to factor in state law, US federal law, usually a foreign law (or two) and then, of course, internal company policies. I described it as a three-dimensional chessboard with any one move affecting the rest of the board. The same is true for the compliance function, but only more so. I find the Rubik’s Cube of leadership to be an apt metaphor for the compliance function as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Data Analysis Quick Start MethodologyToday, I continue my exploration of data analysis with Joe Oringel, co-founder and Managing Director of Visual Risk IQ, a consulting firm that helps audit and compliance people see and understand their data. Today, we look at how to set up a data analysis program and how to use it to help monitor for a compliance program.

I asked Oringel how he helps clients think through a project that involves data analytics. As a lawyer, I was intimidated by the issues of not only how to get the data but how to use it going forward. Oringel then laid out their firm’s five-step process and said that for any Visual Risk IQ analytics project, the steps are: (1) Brainstorming, (2) Acquire and Map Data, (3) Write Queries, (4) Analyze and Report, and (5) Refine and Sustain.

Step 1 – Brainstorming

It all begins with Step 1, brainstorming. Any data analysis project in a compliance setting, or any business context, begins by picking the business questions to answer with data. So in an initial meeting, Visual Risk IQ’s team might ask one or more of the following opening questions: What do we expect to find if we do a detailed review of this data? What policies should have been followed? What would a mistake or even fraud look like? The data to be reviewed could be expense reports, accounts payable invoices, or sales contracts. The key to successful brainstorming is to identify the questions you want to ask and answer, and then identify the digital data sources that can best answer these questions. This process should be iterative, with questions being refined based on the available sources of digital data. This brainstorming process that Oringel and his team uses is central to their work with helping clients to develop queries specific to their organization.

Step 2 – Acquire and Map the Data

Acquiring and mapping data can be a technical step, but most modern software can create files that can be easily read by basic data analysis software, such as Microsoft Excel, as well as more advanced tools. Mapping data is simply identifying, naming, and categorizing the data fields (e.g. text, dates, numbers) so that the software tool can best interpret the data for analysis. Many data sources are internal (e.g. sales or expense transactions) but increasingly external sources from vendors and business partners are used too. Even the US Government is an occasional data source for analytics, as various Federal Departments publish watch lists of debarred individuals and companies.

Once the data is loaded into the analysis tool, control totals should be compared to source systems for completeness and accuracy. Oringel recommends comparing record counts, grand totals, and even selected balances for a sample of records to make sure that nothing was lost in translation into the data analysis tool. Once data is confirmed to be complete and accurately loaded and mapped into the analysis tool, then the real fun can begin.

Step 3 – Writing the Queries

Oringel identified Step 3 as writing the queries. Though it can be valuable to double-check the accuracy of reports that are provided from existing internal and external systems, Oringel recommends using data analysis to answer questions that are not readily reported from internal systems. Often comparing data across multiple data files can yield the most interesting results.

While writing queries surely sounds technical, it can be quite simple. Sorting data from oldest to newest or biggest to smallest is often only a few clicks of the mouse. Once sorted by several different columns, business insights can be quick. Writing queries is simply writing the business questions you laid out in the brainstorming session, and using software in a way that makes it easy to understand the answers.

A simple example would be “Show me any purchasing transaction that didn’t have the proper pre-approval.” This answer can be identified by comparing the dates between purchase orders and invoices, and then looking for any vendor invoice date that is prior to the purchase order date. Other query techniques are similarly simple, yet effective.

Step 4 – Analyze and Report Results

Oringel said that Step 4 is to analyze and report the results. I have wondered how a compliance practitioner would be able to not only view but then use such information. He said that Visual Risk IQ’s tagline comes from this notion. “See. Analyze. Act.” has been a part of their firm since 2006. By summarizing results in a way that measure something important, an action step becomes apparent. In the example above, if a vendor’s invoice date pre-dated its purchase order then the action step is to understand if the date it was received may be later than the date on the document itself. Perhaps the vendor has backdated that invoice in hopes of earlier payment, instead of our purchase order having been created after the fact to cover up the lack of required pre-approval.

Oringel recommends summarizing the results of data analysis into visual form, for example by showing color, size, and location in a graph, so that the compliance practioner can understand what has happened, quickly see the data and conclude whether the picture supports a decision of whether the transaction was or was not compliant.

  Step 5 – Refine and Sustain

That brings us to Step 5, which Oringel identified as refine and sustain. Part of this step is about about fixing the root cause of any problem identified through data analysis. I certainly believe one of the key functions for any compliance practitioner, and one of the first things you should do, is to make sure any violations of your policies and procedures do not move to an illegal conduct stage.

Yet there are other remedial steps that Oringel believes are critical at this stage. He said that when a condition or transaction is identified as being a potential issue, documenting the next action step and ensuring its proper completion is important. If an employee incorrectly submitted a personal or duplicate expense (e.g. they claimed $20 for a lunch yet they were listed as having attended a lunch paid by someone else on the same day) and they were reimbursed for a personal expense on a travel expense trip report, then the organization should ask for reimbursement of that expense and ensure thorough follow-up.

Consistent action when these circumstances arise is important. Seeking and obtaining reimbursement for improper expenses should not be based on whether the employee is an officer or a manager or an individual contributor, or even the amount of the error.

I turn briefly to the COSO Framework, which was updated in 2013 and became much more prescriptive with respect to the elements of an effective internal control program. There are five objectives under the COSO Framework and the fifth and final objective is monitoring activities. Monitoring activities are those that management should perform to ensure that the control environment, risk assessment, control activities, information and communication layers have been affected.

The only way that I know to make sure that the principles of effective internal controls have been followed are to do some monitoring. Oringel turned to one of his favorite subjects for an analogy, how his children are performing in school. He believes that he and his wife have set a robust “tone-at-the-top” around the importance of attendance, homework and strong academic performance and that they provide some direction for the children about what is important in terms of their results at school. There are some control activities that he can utilize in terms of reviewing their schedule, homework, how much time they spend studying versus playing video games, but the best technique to make sure they are getting the outcomes that they want for them academically is to do some monitoring and an evaluation of their performance.

A way to do that is to monitor their academic performance through the application, in his hometown called “PowerSchool.” It allows the parents and the students, together or separately, to log on and to answer the questions, “Was the homework assignment turned in?”; “What was the grade on the homework assignment?”; “Was the most recent grade better or worse than last time?”; Oringel said, “We use PowerSchool as a data-driven monitoring tool to make sure that our kids are performing in school the way that we want them to.”

Tomorrow we begin to consider some case studies from projects Oringel and Visual Risk IQ have engaged in and how they demonstrate the use of data analysis in an anti-corruption compliance program.

——————————————————————————————————————————————————————————————————————————————————————————————————

Joe Oringel is a Managing Director at Visual Risk IQ, a risk advisory firm established in 2006 to help audit and compliance professionals see and understand their data. The firm has completed more than 100 successful data analytics and transaction monitoring engagements for clients across many industries, including Energy, Higher Education, Healthcare, and Financial Services, most often with a focus on compliance.
Joe has more than twenty-five years of experience in internal auditing, fraud detection, and forensics, including ten years of Big Four assurance and risk advisory services. His corporate roles included information security, compliance and internal auditing responsibilities in highly-regulated industries such as energy, pharmaceuticals, and financial services. He has a BS in Accounting from Louisiana State University, and an MBA from the Wharton School at the University of Pennsylvania.

Joe Oringel can be reached at joe.oringel@visualriskiq.com.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Data Analysis 1This week I will begin a five-series exploring data analysis and how it can be used by the Chief Compliance Officer (CCO) or compliance practitioner to support a best practices compliance program under the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-corruption compliance regime. My partner in this exploration is Joe Oringel, a co-founder and Managing Director at Visual Risk IQ, a data analytics services firm, who I interviewed for this series.

Today, we will focus the basics of data analysis and how it differs from other forms of data testing such as sampling and inspection of documents. Next I will consider how to think through the use of data analysis and the COSO Framework. Then I will explore some of the ways Oringel and his team have used data analytics to assist companies in ways that are analogous to FCPA based compliance programs. Additionally Oringel and I recorded a three-podcast series where we explored these issues in an interactive format. If you check out the podcasts you will be eligible to receive an additional White Paper, at no cost, on the complete series and topic.

Being a recovering trial lawyer, I began with the basics, which is: what are data analytics and data analysis? Oringel kept it simple, saying that it’s merely using data to answer questions. He noted that such analysis predates computers since Sherlock Holmes became well known for using deductive reasoning to make determinations from data based evidence. In the 21st century business world, the best evidence that we have as to whether something took place or not is most often digital evidence. Oringel pointed to a variety of authoritative digital data sources, which intone that modern data analysis is a process of inspecting, cleansing, transforming, and modeling data with the goals of highlighting useful information and supporting our decision-making, so data analysis is answering a question with data.

Oringel next pointed to another set of definitions for data analysis, which derived from Thomas Davenport, who is a well-known academic and author who teaches at Babson College. Davenport incorporates the notion of time to categorize data analytics as answering certain questions about either the past, the present or even the future. Incorporating time into analytics focuses these efforts so you can build repeatable patterns into the questions that should be asked and answered.

Oringel, who has both academic and professional training as an internal auditor, said that external financial auditors, like the Big Four, usually focus on answering the question, “What has happened?” This is really a focus on historical transactions, looking backwards and looking at the reporting of transactions, for example what was recorded in the books and records of the company? How was the transaction recorded? Why was the transaction recorded a certain way?

I next turn to the difference between data analysis and traditional internal auditing or sampling. Oringel believes this is the most significant change in technology in the last 25 to 30 years due to the advent of the personal computer and the associated spreadsheets and database softwares that allow auditors to make their conclusions with data, and to have those conclusions not be based on a sample of data, but, rather, on analyzing the population of data. He said “In the late 1980’s, early 1990’s, the predominant technique that internal auditors used was sampling. If an audit was designed to vouch fixed assets, auditors would pick a sample of 25 or more fixed assets; re-compute, or test, the acquisition date, and the disposition date; and finally re-compute depreciation by hand. If the fixed assets in our sample were properly recorded, then we looked up on a statistical chart or table and concluded that we were sufficiently confident that all of the fixed assets at the company were properly stated.”

He further said “with today’s digital accounting software, every fixed asset can be downloaded and the depreciation re-computed based on the acquisition date and the disposition date and the various depreciation rules for each asset class. If there are any differences in the valuation of any asset, the differences can be found through data analysis. Data analysis allows a company’s auditor, whether internal or external, to re-compute or model the financial recording of transactions, as they ought to be recorded and, therefore, have even greater confidence than if they had tested using sampling. By analyzing every asset and related transaction, a company is able to test the entire population and be much more confident in the results. This has obvious implications for any FCPA audit as there is no materiality standard under the FCPA.”

Data analytics can transition from a review of historical transaction to a review of current transactions simply by asking similar questions of similar data, but with a change in focus. This focus change is to answer the question “what is happening now and what should we do about it” instead of merely “what has happened.” When your bank or credit card company puts a freeze on your charge card because of suspicious transactions, they are using data analysis as an alerting function. More sophisticated companies use this sort of data analytics tools and processes as part of their Compliance program for areas like monitoring for improper payments or to identify vendors who may be a match with entities on a Denied Parties list.

This use of monitoring as an alerting task is a logical next step for compliance teams, but most are not yet for any number of reasons. The transition from data analytics as historical analysis to alerting through continual or continuous monitoring can be a challenge, and it is still an emerging best practice. Continual or continuous monitoring establishes these alerts and suggests us to take action based on something that happened just a quick moment ago.

I asked Oringel if he could provide an example along the lines of the Department of Justice (DOJ) and Securities and Exchange Commission (SEC), jointly released FCPA Guidance, which says that the goal of a best practices compliance program should be to Prevent Detect Remedy matters before they become FCPA violations. He translated the FCPA Guidance into “Stop, find and fix”. He believes that it is about asking the time period that you are pulling the data from, so if you are looking at transactions that happened 6 or 9 months ago, then your analytics are serving as a reporting function. He gave an example where a business development person entertained a government official, yet did not seek preapproval to do so. Unfortunately, the amount spent was more than was allowed under the company’s Gifts and Entertainment Policy for entertaining a foreign official. Now the compliance function needs to fix that policy violation and make sure that it does not happen again.

The next frontier for data analytics is a move from alerting to predictive analytics, which is using data analysis to predict what will likely happen in the future. This allows us to move from answering questions about what has happened in the past or present to what will likely happen in the future. While predictive analytics is common in many industries and processes, like Commercial Lending or Insurance, it is not at all common in compliance. Yet.

The “find” capability goes from the past to the present and to the future and may be where the most advanced audit and compliance teams go next. This actually moves to an almost a proscriptive action, where, because you were able to predict, or have an insight, going forward you are able to deliver a risk management solution to that potential situation.

Oringel concluded by saying that it is this future orientation, with data analysis as a predictor, that he believes is the next step in the compliance function using data. A company can score high risk employees in their unit by identifying the salespeople that tend to not respect the organization’s T&E policies; who spend too much on lavish meals or engage in other activities which contradict company policies, such as neglecting mandatory compliance training or simply being routinely late with expense report submissions.

============================================================================================================================================================================

Joe Oringel is a Managing Director at Visual Risk IQ, a risk advisory firm established in 2006 to help audit and compliance professionals see and understand their data. The firm has completed more than 100 successful data analytics and transaction monitoring engagements for clients across many industries, including Energy, Higher Education, Healthcare, and Financial Services, most often with a focus on compliance.
Joe has more than twenty-five years of experience in internal auditing, fraud detection, and forensics, including ten years of Big Four assurance and risk advisory services. His corporate roles included information security, compliance and internal auditing responsibilities in highly-regulated industries such as energy, pharmaceuticals, and financial services. He has a BS in Accounting from Louisiana State University, and an MBA from the Wharton School at the University of Pennsylvania.

Joe Oringel can be reached at joe.oringel@visualriskiq.com.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Winslow AZAs I end my week’s exploration of the intersection of bribery and corruption in international sports, I have also ended a week of solid listening to The Eagles 1970s studio albums. In honor of Glenn Frey, I will also end this week with a final tribute to Frey and his work with this seminal band from the 70s. Today, it is a tribute to the first Eagles hit, Take It Easy. While Jackson Browne was the primary author of this song, Frey stepped in to finish it when Browne could not complete it. The Eagles also opened their first album, titled The Eagles, with this cut.

I cannot think of anyone born after about 1970 who does not instantly recognize the opening cords from Bernie Leadon’s lead guitar on this iconic song. If this song alone does not make you want to go to Winslow Arizona, well probably nothing will. In fact the song made the town so famous that the city of Winslow erected a life-size bronze statue and mural commemorating the song, at the Standin’ on the Corner Park. The statue stands near a lamp post, the male figure securing an acoustic guitar between his right hand and the shoe of his right foot. Above his head, a metal sign, crafted in the style of US Route shields, displays the words “Standin’ on the corner”.

As I have noted this week, the world of sports continues to provide ample lessons to be learned for the Chief Compliance Officer (CCO) or compliance practitioner. Although we no longer have the sad sack Astros to kick around, there are many other candidates out there you can draw inspiration from for your compliance regime. For today, I want recap some of these lessons.

Perhaps the clearest sign from the scandals reviewed this week and the ongoing Fédération Internationale de Football Association (FIFA) scandal is the role of regulators such as the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) in leading the international fight against bribery and corruption. Only the US had the wherewithal to bring the charges against FIFA. While the Swiss have tagged along, they certainly did not take anything like the lead in this matter. Further, the allegations of FIFA’s bribery was publicized in Britain as long ago as 2010 and the Serious Fraud Office (SFO) never brought charges against FIFA or its cronies.

The bottom line is that only the US government has the ability and, more importantly, the will to engage in such a worldwide investigation and coordinate the actions of numerous countries in providing assistance. Do you think the Swiss police would have been so involved if it was not for the US government lead in this investigation? From President Obama on down, the US government has made clear that it will lead the international fight against bribery and corruption. The FIFA indictments are yet one more indication that they will continue to do so.

From the International Association of Athletics Federations (IAAF) scandal there are certain aspects similar to FIFA but made even more invidious. Not only was a there a long entrenched self-serving and self-congratulatory cabal running the organization, but they even out did FIFA by allegedly extorting money from athletes who they expected of using performance enhancing drugs to suppress positive drug tests. These officials were allowed to not only run rampart but also engage in essentially self-government of themselves. Kind of like having the foxes guard the henhouse.

I think the lesson is the checks and balances required in any best practices compliance program that form the basis of compliance. While some of these checks and balances are in the form of multiple internal levels of oversight, such as a Compliance Committee, which might be made up of senior managers from various disciplines; another level is brought about by internal controls and the concept of the segregation of duties (SODs). No one person should be allowed have so much discretionary power that they can approve vendors, approve contracts; then approve invoices for payments on those same vendors and contracts they have previously approved.

In the corporate world this is fairly standard in the US but there continues to be Foreign Corrupt Practices Act (FCPA) enforcement actions, emanating from outside the US, where a Country or Regional Manager can make such multiple approvals. This is not only a recipe for disaster financially but also allows the creation of a pot of money to pay a bribe much easier. Internal controls also work towards having continuous oversight, if a technology solution is used it can facilitate both the prevent and detect prongs of a best practices compliance program.

The lesson for the US company which does not have a compliance program in place is that the basic forms of corporate governance are not only mandatory for a compliance and ethics regime but they are also the basics for any minimums of corporate governance in the 21st century. The level of any fraud, including bribery and corruption under the FCPA, can be low, yet the attendant costs can be far in excess of any fine or penalty. For FIFA and the IAAF, their cost will be played out in the international press and court of world public opinion for some time to come. For the former heads and senior members of those organizations, the cost may well be more pedestrian, with jail terms for felony criminal violations.

Finally, from the allegations around offers of bribes to throw matches in professional tennis is the clear lesson that employees that are offered bribes need to have an avenue to be able to report such conduct. For the CCO, it is important that employees have confidence and trust in the organization so they are willing to make such reports. To stop the scourge of bribery and corruption in any international sports group, the management must take the lead in communicating that such actions will not be tolerated and that anything less would result in expulsion and banishment. That is similar to any top management that must clearly set the expectation that it is more important for employees to follow the law than to make their quarterly numbers. For if management does not do so and communicates that making your quarterly numbers are more important, employees will find a way to make their quarterly numbers.

Moreover, it is important any company knows if a vendor, sales agent or any other party has offered or demanded a bribe to do business. Even if your employees tosses them out of the office on their collective ear, it is incumbent you be made aware of the demand/offer so you can bring it to the attention of the counter-party and take appropriate remedial action. Indeed, in many industries the number of agents or other representatives is small enough that they can be known. If there is a collective refusal to do business with such corrupt third parties, it can be a powerful driver of business behavior.

So I end this week with a fond farewell to Glenn Frey and I hope you are taking it easy about now. For a YouTube clip of The Eagles playing Take It Easy, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016