The D & O Diary
Guest Post: Testing How Clean Your Books Really Are -- The Case for Active Monitoring
One of the more challenging exposures that many companies face is the possibility of an FCPA enforcement action. Because of the risk of fines, potential prosecution and reputational damages, many companies understand the need to implement compliance programs to try to avoid these problems. In a guest post, Al Vondra (pictured), a partner in the Professional Services practice of PwC makes the case for active compliance monitoring. In his guest post, Vondra suggests that “companies that embrace the opportunity to shore up their compliance program by proactively monitoring policies and training to see if they have gained traction can gain a competitive advantage.”
I would like to thank Al for his willingness to publish his guest post on this site. I welcome guest posts from responsible commentators on topics of relevance to this blog. Any readers who are interested in publishing a guest post on this site are encouraged to contact me directly. Here is Al’s guest post.
The global anti-corruption movement continues to grow. Today’s business environment prominently features a near zero-tolerance stand when it comes to bribery and corruption. Plenty of companies have already initiated compliance programs and policies. But far too few are taking equally appropriate steps to confirm their effectiveness and adherence. If you are not actively monitoring and testing, you may not be prepared to compete in today’s increasingly interconnected world. Leadership should take heed. Government enforcement of the Foreign Corrupt Practices Act (FCPA) will not be slowing down anytime soon. The staffing level of FCPA prosecutors is at an all-time high, and major US Attorneys’ offices around the country are devoting significant legal resources to active cases, according to government officials.
Moreover, while the FCPA may be the most familiar, there is a continued, growing worldwide focus on non-US anti-bribery and corruption enforcement, including the 2011 UK Bribery Act and major initiatives by the Organisation for Economic Co-operation and Development, World Economic Forum, World Bank, and the United Nations Convention Against Corruption.
Government enforcement rigor, combined with the continued expansion of US companies into overseas markets, means that business leaders should enhance and continue their efforts to remain in compliance with FCPA or face potential prosecution, fines, and reputational damage.
Companies that embrace the opportunity to shore up their compliance program by proactively monitoring policies and training to see if they have gained traction can gain a competitive advantage.
The regulatory landscape: Reinforcing the focus on monitoring and testing
Regulators expect companies to assess their corruption risk, establish a compliance program, and actively monitor and test that program. Many businesses currently rely too heavily on corporate policies without field testing their efficacy. They can instead be actively monitoring and testing transactions to confirm compliance. Although many business leaders are more familiar with FCPA anti-bribery provisions, the DOJ and SEC are ever-more frequently citing violations of internal control and books and records provisions. These cases were settled primarily through private letter, deferred prosecution, or non- prosecution agreements.
The DOJ frequently uses deferred prosecution agreements and non- prosecution agreements as tools to help establish new leading practices for corporate compliance programs in numerous diverse industries and legal areas. Such agreements enable prosecutors and other government regulators to craft detailed compliance measures for one company in a given industry to serve as a benchmarking signal for other companies.
Many settlement agreements refer to agreed upon compliance programs that include active monitoring at foreign locations to avoid future prosecution. There is a strong and increasing regulatory expectation that companies will continuously monitor and test their compliance programs. This is not a new concept. The expectation is cited in the US Sentencing Guidelines, which call upon entities to confirm that their ethics and compliance programs are being followed and to perform ongoing monitoring and auditing to do so. SEC officials also are urging companies to focus on FCPA controls in testing their internal financial controls, even as the agency continues to bring charges against both companies and individuals.
The recent DOJ deferred prosecution agreement for a large pharmaceutical company addresses their expectation that anti-corruption reviews involving monitoring and testing will be performed proactively, with portions of the agreement containing more detailed compliance obligations than were previously issued.
A recent SEC complaint against a large software developer also discussed the company’s failure to audit certain anti-corruption controls, maintaining:
• The entity was vulnerable to misuse of 'parked' funds on the part of employees.
• The entity had failed to audit and compare the distributor’s margin against the end user price to confirm that the price structure did not house excess margins in the pricing structure.
• The company neither targeted transparency, nor audited distributors’ third party payments on its behalf, despite policies that called for approvals for marketing expense payments.
Monitoring and testing: The business case
Active monitoring and testing can help to mitigate the risk that your entity will face costly, time-consuming investigations if potential violations are publically disclosed. In addition to responding proactively to the uptick in anti-corruption sentiment around the world, companies can derive significant benefits from FCPA monitoring and testing. Such efforts can enable them to:
• Alert employees to the commitment of management and the board to ethical business dealings.
• Reinforce company ethics policies.
• Gain a better understanding of dealings with third parties and distributors.
• Give management and the board a better sense of the effectiveness of and adherence to the company’s ethics policies.
• Reduce employee and vendor fraud.
• Establish credibility with regulatory bodies; for example, the DOJ recently disclosed its decision not to prosecute a large investment bank, in part because of its compliance program, specifically referencing the way the company tested its policies and procedures on a routine basis.
Despite regulatory expectations and the advantages to be gained through proactivity, many companies still are not responding with sufficient, thorough FCPA testing protocols. Operating in a world constrained by finite resources, many business leaders have not implemented effective self-audit programs to measure compliance.
The kind of monitoring and testing needed should also not be confused with typical financial statement or operational auditing. For one thing, there is no materiality limit on corruption violations under US law. For another, the monitoring and testing we are concerned with here requires a forensic mindset and delves into areas that usually are not reviewed.
Absent thorough active monitoring and risk assessment, including setting objectives, identifying and analyzing risks, and performing checks of related policies and controls, it is difficult to determine how well employees and third parties understand and comply with anti-bribery and corruption policies.
Effective policies, training, good tone at the top, and general supervisory authority are just a start. Leaders simply will not typically be able to effectively and quickly detect potential violations if they are relying on ineffective, inconsistent monitoring and testing.
Potential violations, often buried in the company’s books and records, if not ferreted out, simply remain hidden. Account descriptions often are vague and include thousands of transactions that are consolidated in the company’s books. Improper payments can thus be masked from supervisory management reviewing the financial results.
In the rare instance that a company has minimal FCPA risk, for example, if it is not a public company and it has no international operations, there may be no need to do FCPA monitoring. However, for a public company with international operations, it becomes a lot harder to ignore the threat of corruption.
How are they doing? The monitoring and testing landscape
Where do most companies rank in terms of leading anti-corruption practices?
At the high end of leading practices are companies that have at some point already faced government scrutiny relating to a violation; they have paid a lot of money and invested significant management resources investigating and remediating their programs, which tend to be well developed and contain critical elements, including active monitoring and testing in high-risk areas.
They ‘get it’ and have already paid the price for an ineffective program.
The second group of companies, at the low end of the curve, includes companies that have not faced such scrutiny and may believe that they are ethical and do not have a problem that anyone needs to worry about. They may have a code of conduct posted on the company website, but their training is not very good; their policies are not very clear; and they do virtually no monitoring.
Finally, there are companies that fall somewhere in the middle, with some good and some not-so-good practices.
Why aren’t more businesses buying in?
Why aren’t more companies doing better monitoring? There are many reasons, including a lack of effective, qualified resources, attempts to save costs, and a lack of commitment by management or encouragement by the board or audit committee. They also may believe that they already are doing enough.
Most compliance professionals are capable when it comes to developing policies regarding anti-corruption and anti-bribery and getting those policies into the hands of the business people who need to follow them. But the challenge is this: How do you know that what has been sent out from the corporate or regional center is actually being followed? That is where many companies fall short.
They may not have taken the time and effort to adequately test and monitor their employees’ record of following the program.
Another challenge is a dearth of qualified testers; that is, there are relatively few people who really know how to do this well, and getting them into one of the higher-risk countries when and where you need them is not always easy. This requires qualified and experienced professionals who can speak the local language; understand local business customs, schemes and regulations; and have experience in transactional testing of local business records and documentation. Many companies struggle to implement the monitoring and testing aspect of the compliance program and then learn from the findings. If asked how detection controls have changed in the last two years because of the compliance program, some companies may not be able to answer. Some companies do it quite well; others have not even started.
Testing and analyzing those controls simply cannot be done from the corporate center. You have to go into the countries and review the books and records and see what is happening on site. Sometimes, there is too much of a tendency to believe that it is enough to train people and send them out with the right rules. But you will not know what is really happening unless you pick up the rocks and look underneath. After all, isn’t it better to know?
The case for proactivity
Why wait for whistleblowers to alert management and the board to FCPA issues? The CEO, CFO, and others responsible for making certifications surrounding internal control existence and effectiveness in periodic financial filings need to ask themselves: Am I really confident of what is in the books in Country X? Right now, if testing of internal controls for anti-corruption is not yet routine for your company, such comfort may be cold at best. As a result, management may be knowingly or unknowingly putting themselves at personal risk of violating Sarbanes-Oxley’s certification provisions.
Active monitoring and testing can better promote compliance by creating a culture where employees know they will regularly be held accountable for their actions — a proven method for strengthening internal compliance. Thorough analysis can enable both preventative and detective measures. An effective monitoring strategy can help confirm compliance with the books and records and internal control provisions.
Failing to monitor is like living in a home without a smoke alarm system. You won’t know about the fire until you notice the smoke and your house is gone. Transaction testing also can validate the completeness and accuracy of your books and records. Over time, a process for following up and resolving red flags may itself become a control and provide evidence of a sound compliance program.
A proactive program will demonstrate to the regulatory community and the growing global anti-corruption movement that your organization truly understands the importance of engaging ethically enterprise-wide and across your network of stakeholders. This can boost your credibility and even reduce adverse consequences should an unforeseen problem bring regulatory scrutiny your way. At the same time, running a well-established, monitored, and tested program will give you the confidence of knowing that as far as compliance is concerned, your policies are working effectively and as intended.
Simply stated, staying clear of corruption is good for your business and good for your brand. It is good to know — and to demonstrate — that you are in good company.
Albert A. Vondra is a Partner in the Forensic Services practice of PwC in Washington, DC and Cleveland, Ohio. Mr. Vondra is a CPA (licensed in Ohio, Virginia, and the District of Columbia), a Certified Fraud Examiner, Certified in Financial Forensics by the American Institute of Certified Public Accountants, and an attorney admitted to practice law in the State of Ohio. He can be reached at email@example.com or by calling (216) 496-7716.
Upcoming Event: Readers of this blog may be interested to know about a seminar that will be held at the St. John's School of Risk Management in New York on February 5, 2013 entitled "A Day at Lloyd's: An Introduction to teh Lloy's Market Structure and the Use of ADR to Manage Disputes Involving Lloyd's." The event will be moderated by my good friend Perry Granof and includes a number of distinguished speakers, among them anotehr good friend, Nilam Sharma of the Ince & Co. law firm. The event, which will take place on the day prior to the beginning of the PLUS D&O Symposium, runs from 12:30 to 5:00 pm. Further information about the event can be found here. You can register for the event here.
Break in the Action: The D&O DIary will be slowing down over the next few days in recognition of the holiday season. We will resume our normal publication schedule after the new year. Best wishes for a happy holiday season to all.
2000 Auburn Drive, Suite 200, Beachwood, OH 44122, Phone: (216) 378-7817