Tag Archives: bribery & corruption

Bribery & Deferred Prosecution

Between January and February 2015, a prominent trade organization focusing on American attorneys conducted a survey of 243 Chief Legal Officers of global companies to assess the corporate counsel’s opinion regarding the greatest threats to their organization’s growth. Respondents were asked to rank their top three concerns. Not surprisingly, economic uncertainty was at the top of the list with 57% of the respondents ranking it in their top three. The unexpected finding was that 53% of the respondents named regulatory compliance and enforcement as a top concern as well.

When asked to specify which laws caused them the most concern 28% identified the Foreign Corrupt Practices Act and 15% identified the UK Bribery Act. This means 43% of the respondents named anti-bribery laws as one of their top three concerns, more than any other law or regulation identified. When asked about the resources spent on regulatory compliance and enforcement, the response was also surprising as only 38% of the corporate counsel who identified regulatory compliance and enforcement as a threat, are expending resources to address the threat. As a follow up to the 2015 survey, the same organization conducted a second survey in early 2017 to gain further insight into corporate counsels’ ability to address regulatory and compliance threats. This time 256 respondents were surveyed, 62% of whom stated that their organization is designing or building some type of robust internal compliance program. Although this is movement in the right direction, over a third of the organizations surveyed still may not be prepared to detect or deter bribery and corruption. Most significantly, they will not be prepared to meet government expectations if a violation occurs and self-reporting is required. Lastly, 54% of the respondents stated that they are building or expanding their in-house systems to address this threat. Many believe that compliance technology is the appropriate answer as regulators prefer technical solutions to these problems, because they are viewed to be sophisticated and ‘state of the art’.

This research should be of special interest to all CFEs because we work so frequently with corporate counsels, but indeed, to assurance professionals in general who like fraud examiners are on the front line in the fight against corruption.

The Foreign Corrupt Practices Act (FCPA) was enacted in 1977 but aggressive enforcement did not really pick up until around 2005 when there were twelve enforcement actions.  The purpose of the FCPA was to prevent the bribery of foreign government officials when negotiating overseas contracts. The FCPA imposes heavy fines and penalties for both organizations and individuals. The two major provisions address: 1) bribery violations and 2) improper books and records and/or having inadequate internal controls. Methods of enforcement and interpretation of the law in the US have continued to evolve over the years.

The FCPA created questions of definition and interpretation, i.e., Who is a “foreign official?” What is the difference between a “facilitation” payment and a bribe? Who is considered a third party? How does the government define adequate internal controls to detect and deter bribery and corruption?

The enactment of the United Kingdom (UK) Bribery Act in July 2010 was the first attempt at an anti-bribery law to address some of these issues. The UK Bribery Act introduced the concept of adequate procedures, that if followed could allow affirmative defense for an organization if investigated for bribery. The UK Bribery Act recommended several internal controls for combating bribery and introduced the incentive of a more favorable result for those who could document compliance. These controls include:

• Established anti-bribery procedures
• Top level commitment to prevent bribery
• Periodic and documented risk assessments
• Proportionate due diligence
• Communication of bribery prevention policies and procedures
• Monitoring of anti-bribery procedures

The concept of an affirmative defense for adequate procedures creates quite a contrast to FCPA which only offers affirmative defense for payments of bona fide expenses or small gifts within the legal limits of the foreign countries involved.

The UK Bribery Act equated all facilitation and influence payments to bribery. Finally, the UK Bribery Act dealt with the problem of defining a foreign official by making it illegal to bribe anyone regardless of government affiliation. Several countries such as Russia, Canada and Brazil have enacted or updated their anti-bribery regulations to parallel the guidelines presented in the UK Bribery Act. The key to the effectiveness of all these acts remains enforcement.

In November 2012 the US Department of Justice and the Securities Exchange Commission released “A Resource Guide to the Foreign Corrupt Practices Act.” The guide book introduced several hallmarks of an effective compliance program. The Resource Guide provided companies with the tools to demonstrate a proactive approach to deter bribery and corruption. Companies in compliance may receive some consideration during the fines and penalty stage.

The guide’s hallmarks include:

• Establish a code of conduct that specifically addresses the risk of bribery and corruption.
• Set the tone by designating a Chief Compliance Officer to oversee all anti-bribery and corruption activities.
• Training all employees to be thoroughly prepared to address bribery and corruption risk.
• Perform risk assessments of potential bribery and corruption pitfalls by geography and industry.
• Review the anti-corruption program annually to assess the effectiveness of policies procedures and controls.
• Perform audits and monitor foreign business operations to assure compliance with the code of conduct.
• Ensure that proper legal contractual terms exist within agreements with third parties that address compliance with anti-bribery and corruption laws and regulations.
• Investigate and respond appropriately to all allegations of bribery and corruption.
• Take proper disciplinary action for violations of anti-bribery and corruption laws and regulations.
• Perform adequate due diligence that addresses the risk of bribery and corruption of all third parties prior to entering a business relationship.

The SEC and DOJ entered into the first ever Non-Prosecution Agreement (NPA) for Foreign Corrupt Practices violations in 2013. This decision was a harbinger from the DOJ and SEC with regard to future enforcement actions. The NPA highlighted the “extensive remedial measurements and cooperation efforts” that the defendant company demonstrated during the investigation. The corporation paid only $882,000 in fines because they were able to “demonstrate a strong tone from the top and a robust anti-corruption program”.

Under a Deferred Prosecution Agreement (DPA) the DOJ files a court document charging the organization while simultaneously requesting that prosecution be deferred to allow the company to demonstrate good conduct going forward. The DPA is an agreement by the organization to: cooperate with the government, accept the factual findings of the investigation, and admit culpability if so warranted. Additionally, companies may be directed to participate in compliance and remediation efforts, e.g., a court-appointed monitor.

If the company completes the term of the DPA, the DOJ will dismiss the charges without imposing fines and penalties. Under the Non-Prosecution Agreement, the DOJ maintains the right to file charges against the organization later should the organization fail to comply. The NPA is not filed with the courts but is maintained by both the DOJ and the company and is posted on the DOJ website. Like the DPA, the organization agrees to monetary penalties, ongoing cooperation, admission to relevant facts, as well as compliance and remediation of policies, procedures and controls. If the company complies with the agreement, the DOJ will drop all charges.

The key differences between a deferred prosecution case and one not featuring deferred prosecution is the initial response of the defendant company to the discovery of improper payments. In a deferred prosecution case the response usually features prompt self-reporting, full cooperation with the government and the quality of the serious remedial steps taken, including termination of implicated personnel and the modification of company behavior in the country where the violations occurred. Additionally, deferred prosecution defendants frequently discover the improper payments while in the process of enhancing their anti-bribery and corruption controls.

Originally allegations of FCPA violations were received through a company’s internal whistleblower hotline. That trend changed with the enactment of the Sarbanes Oxley Act in 2002 and the Dodd-Frank Act in 2012. These laws created other means and mechanisms for reporting suspicions of illegal activity and provided protections from retaliation against whistleblowers. The Dodd-Frank Act also has monetary incentives of 10% to 30% of the amounts recovered by the government to encourage whistleblowers to come forward. Companies considering whether to disclose potential anti-corruption problems to the SEC must now consider the possibility that a potential whistleblower may report it first to the government thus creating greater liability for the organization.

In conclusion, according to recent reporting by the ACFE, corporate compliance programs continue to mature, and are now accepted as a cost of conducting business in a global marketplace. The US government continues to clarify its expectations about corporate responsibility at home and abroad and works with international partners and their compliance programs. Increased cooperation between the public and private sectors to address these issues will assist in leveling the playing field in the global marketplace. Non-government and civil society organizations, i.e. World Bank and Transparency International play a key role in this effort. These organizations set standards, apply pressure on foreign governments to enact stricter anti-bribery and corruption laws, and enforce those laws. Coordination and cooperation among government, business and civil entities like the ACFE, reduce the incidences of bribery and corruption and increase opportunities for companies to compete fairly and ethically in the global marketplace.

Tone Deaf

tone-deafThe sensational bribery and corruption cases all over the news recently mean that tone at the top as a concept is yet again in the eye of the financial press.   Journalists of every stripe and persuasion opine on its importance as a vital control but always seem to fall short on the specifics of just how the notion can be practically applied and its strength evaluated once implemented.  One of the problems is that there are so many facile definitions of the concept in popular use.  The one I like the most is one of the simplest declaring it to be the message, the attitude and the ethical culture the board of directors and upper management disseminate throughout the organization. It’s best described as the consistency among statements, assertions and explanations of the management and its actions. In summary, tone at the top is seen by some as a part of and by others as equal to the internal control environment.

The rub comes in because tone at the top is not only far more complicated than the above definition would lead a casual reader of trade press articles to believe, but also because its invisible to the standard tests of an outside auditor or fraud examiner. So a baseline would be a valuable addition not only for fraud examiners and financial auditors, but also for all types of assurance professionals.

To determine a baseline, one first needs to define the different aspects of the target concept. Thus, a baseline might provide reviewers with a starting point to begin improving their analyses of tone at the top. ACFE studies of hundreds of companies tell us that an enriched tone at the top can not only prevent fraud through its implementation of a well-functioning internal control system, but can also have a positive impact on the financial results of an organization. Organizations with an effective corporate governance policy just perform better than those that don’t. In my own practice as an auditor and fraud examiner, I’ve found COSO’s Enterprise Risk Management (ERM) a useful framework to use in the actual practice of evaluating the effectiveness of internal controls (including tone at the top) during fraud risk assessments.

Tone at the top is based on two schools of thought in management literature: the corporate governance school and the management control systems (MCS) school. These schools of thought share three fundamental theories: the agency theory, the transaction cost economics theory and the stakeholder theory. The agency theory views an organization as a nexus of contracts. Separation of ownership and control is essential for this theory.  The agent (the manager) is in control of the organization; however, he or she does not own the organization; the organization is owned by the principal (stakeholders).  Measures (i.e., corporate governance) need to be taken to ensure that the agent will strive to achieve the goals of the principal.

Transaction cost economics (TCE) is based on the concepts of bounded rationality and of homo economicus: a person chooses the best option based on the available information.  TCF aims to explain how firms are formed.  Firms are created to minimize transaction costs.  The domain of TCE has proven useful to explain management control structures.  The performance evaluation needs to be behavioral based, with non-financial subjective measures.  Output controls are low with TCE.  Individual contributions to the organization (individual performance) are analyzed as the outcomes of contracts between the employer and the employee.

The stakeholder theory is based on the belief that besides shareholders, there are others with interest in the organization.  Corporate governance should not only solve conflicts between management and shareholders but also between the organization and other stakeholders.  Tone at the top represents a form of cultural control to the MCS school.  Cultural controls stimulate employees to monitor and stimulate each other’s behavior.  Cultural controls rely on group pressure; if a person deviates from the group’s values, the group will put the person under pressure to convert him or her back to the dominant values.  Cultural controls are usually translated in corporate governance codes.  Corporate governance codes are mainly formulated to prevent/minimize fraudulent activities in organizations by means of internal control.  Five methods of cultural controls, namely code of conduct, group rewards, transfers, physical and social controls, and tone at the top have been identified.

Tone at the top forms an important part of corporate governance codes.  Management behavior should coincide with the culture it tries to form; managers fulfill an example function. An important factor is implementing and operating a whistleblower policy; if staff at any level observes fraudulent activities they can report them and be protected against possible retaliation.

Each of our above theories concludes that an organization needs to have a corporate governance code to minimize transaction cost, manage stakeholder interest and, thereby, increase shareholder value.  However, recent well publicized corruption cases have led to calls in the popular press for a more formal approach.  So, what might such a formal, COSO based, approach look like?

First, management and the CEO need to demonstrate inspiring leadership, set the right ethical example and focus on people skills. They also need to display integrity.  Their risk awareness, actions and messages need to coincide with the dominant culture.  It is also important for managements to formally commit to competence.

As to culture, an independent and active risk culture is necessary for tone at the top to be successful.  Also, employees need to be empowered to make the right decisions.  The reward systems and the culture need to reward desired behavior and be compliant with the norms.  In the event of something going wrong despite these cultural aspects, there needs to be an effective policy present to protect whistleblowers.

Finally, the risk appetite should be linked to the strategy.  The supervisory board needs to be independent, active and involved.  Responsibilities need to be defined, and management needs to receive adequate information.

All three of the above aspects are an integral part of what the experts currently define as tone at the top.  According to the ACFE, tone at the top can assist in averting fraud throughout every level of an organization. It’s, therefore, necessary to include its assessment in the scope of the fraud examiners fraud risk assessment and to formally schedule its periodic re-evaluation.

War Stories

war-stories_2

Register Today for Investigating on the Internet May 18-19 2016 RVACFES Seminar!

I like to collect war stories from fellow fraud examiners and auditors.  This one is a story a long time member of our Chapter and a personal friend shared with me not too long ago over lunch.  It has to do with a case he investigated during the mid-nineties.  One of his client companies at the time was the wholly owned subsidiary of a prominent medical equipment wholesaler which sold primarily to local pharmacies.  It seems the subsidiary maintained a large sales force, the superstar of which was a sales manager I’ll call Drew Paul.  Paul’s division brought in over 50% of the subsidiary’s revenue and, even in a sales force of above average performers, Paul stood out.

Our Chapter member got involved with the subsidiary when a member of the parent’s audit committee requested a routine fraud vulnerability study of all the parent’s principal subs.  Paul’s sub was the second our Chapter member evaluated.  As part of the general review’s kick-off process, my friend met with the human resources head to obtain an organization chart and to familiarize himself with the sub and its operations.  Review of the data supplied by HR revealed high turnover in the sales division, turnover that was predominantly related to one sales manager, Drew Paul. He also discovered that the HR department didn’t routinely conduct exit interviews when employees left either the sales division or the company. Our member was immediately concerned because the lack of such a routine personnel procedure was unusual in a sub of such a progressive company.  Our member then scheduled a follow up meeting with the HR head which yielded some interesting observations. The HR head noted that Paul Drew didn’t seem to care about HR policies. His attitude seemed to stem from his assertion that the sales team was the “bread and butter” and that the rest of the company was dependent on it. The HR head had the impression that the sub’s CEO seemed to agree, not requiring the sales division to adhere to company policy and procedure. At our friend’s request, the HR head handed over copies of the sales senior management team’s personnel files for his review. The HR head also mentioned, as an aside, that, in her opinion, Paul’s income would not begin to support the level of his apparent lifestyle. Our member additionally found that the HR head had issued a warning letter to Paul for violating company policy by recruiting entry-level data clerks to collect checks from the subs retail pharmacy customers without HR’ s knowledge.

Given these red flags, and with the parent’s permission, our Chapter member decided to start the sales vulnerability assessment portion of the general assessment immediately. He met with the sub’s CEO and quietly put a small upper management team together to begin the review.  The first week of the assessment was spent reading company/division policies and procedures; reviewing the sales department’s structure, authority matrix, sales process, and analysis of the past two years’ sales, as well as the portion of the market (sales territories) allotted to each of the managers; and the access level controls on the sales module of the general ledger system. The review team planned the engagement to cover both compliance and substantive testing of the entire sales process. Two deficiencies came out clearly during the initial review testing: There were loose controls around issuing promotional and bonus products to pharmacies, and there were few controls on sales returns. Bonus and promotional products were used by the wholesaler to reward pharmacies that met or exceeded their sales targets, launch a new product, or successfully push a slow-moving product.

Our friend reviewed the list of past employees who were terminated or had resigned from the sales force in the last year. His eyes fell on Billy Preston who had been terminated at the end of the second quarter.  After consulting with the parent’s corporate legal counsel and obtaining consent from the audit committee, our member invited Preston to lunch the next week. Preston conveyed some astonishing things about Paul and even provided a copy of a check from a pharmacy written out to Paul (while collecting checks for the subsidiary from the pharmacy, Preston was handed the check made out to Paul). When Preston confronted Paul about the suspicious check, Paul terminated Preston on behavioral grounds and threatened to withhold severance pay if he went to HR. Considering Paul’s intimidating stature and apparent influence with the CEO and within the company generally, Preston decided to just leave the company quietly and begin looking for another job.

Apparently, Paul was using bonus and promotional products for personal gain. The value of bonus and promotional products given out to pharmacy customers amounted to 9 percent and 12 percent of total sales respectively. The lack of strictly defined policies and guidelines for the use of promotional and bonus products at the parent and sub left the distribution of them to the discretion of managers. Unfortunately, it also made it possible for Paul and (it later developed) a corrupt distribution manager at the parent working together to exploit the internal control deficiency. The bonus and promotional products program was transparent only to the two managers but not to the individual pharmacies. Keeping pharmacies in the dark about the details of how much they should be getting in bonus and promotional products if they reached sales targets, the two managers could favor the pharmacies of their choice.  With this additional information, our member further analyzed how a small number of pharmacies were favored with extra bonus and promotional items compared to other pharmacies, though the other pharmacies were giving the same amount of business to the parent. Not surprisingly, sales returns were also higher for the pharmacies receiving the extra bonus and promotional items than the average sales returns of all the other pharmacies put together. By colluding with pharmacies, Paul pushed sales at month end and arranged with the pharmacies to return their purchases by the first week of the next month so the pharmacy would not be overburdened with stock. By doing this, Paul received more commission from the parent, which was, at the time, based on gross sales and not on net sales (gross sales minus sales returns).

Our member wrote a confidential report and delivered his findings to the audit committee of the parent. After a thorough review, the audit committee chairman summoned Paul. As part of the review, Paul’s bank statements were legally obtained. The chairman asked Paul to explain why his bank records showed deposits from seven out of the 35 pharmacies he was handling. After initial denials, Paul admitted to accepting kickbacks in the amount of $175,00 by favoring certain pharmacies. He also came clean on the sales-returns routing that was conveniently altered so that certain of his sales team members would receive higher commissions than those to which they were entitled. Paul also revealed the names of several employees in his department who were helping him in the scheme. The parent decided not to press charges against Paul and the others because they agreed to repay monies received as kickbacks from the pharmacies.

For our member the takeaways are that CFE’s should tell their clients not to lose control of their subs.  Policies, procedures, and guidelines should be established in all sub departments, especially in those areas where more discretionary powers are involved. Keep the whistle blowing process transparent, approachable, and user-friendly. There also should be a mechanism in place to protect whistle blowers like Billy Preston. Management should engage CFE’s to perform regular fraud risk assessments, especially of semi-independent subsidiaries.  Finally, high turnover in a department should always be perceived as a red flag. Exit interviews should be thoroughly conducted to get to the root of a problem which can often turn out to be fraud related.

The Frauds of Hard Times

There is no question that the most common frauds of economic hard times are different than the typical frauds of a boom.  Such hard times financial schemes, often involving the procurement and contract management business processes, are usually more subtle and harder to detect than their boom time counterparts.  During a recession, e

mployees find new ways to perpetrate fraud as the company installs new systems and makes other types of changes in the business to address decreased revenues.  In addition, emp

loyees are under increasing pressure to meet financial targets which are harder to achieve in a troubled economy.

I was asked by a Chapter member at lunch a few months ago to tell her about the difference.  To my way of thinking the most likely scenarios confronted by management (and by auditors of all kinds) during a recession  include:

–intentionally mischarging time…the misuse of asset pools, mischarging of downtime, charging management time to indirect or fixed price and commercial contracts while charging direct expenses on cost-type contracts or charging direct labor to indirect accounts;

–using internal research and development funds to support a contract;

–violating recruiting rules such as recruiting a procurement official involved in an on-going contract award or knowingly recruiting a state or U.S. government employee participating in a matter involving the company without the knowledge or approval of their employing state or Federal agency;

–accepting payments, gifts or anything of value f

rom vendors to influence a procurement;

–theft or sale of company proprietary information to any kind to third parties or to company insiders;

–the management of earnings through the recording of excess liabilities or reserves to allow reversals to income in the future, changing pension assumptions to inappropriate amounts, billing and recognizing revenue for work progress that is not complete and billing more than contract provisions;

–allowing a subcontractor to provide nonconforming goods on a parent company contract;

–intentionally misallocating costs disproportionally to government cost plus contracts versus commercial or fixed-price contracts;

–giving bribes or gifts (much in the news lately) to officials of governments or of target customers at any level to influence procurement decisions;

The good news is that the knowledge among employees that auditors are present in the company or agency, even if they aren’t performing any specific tests,  acts as a significant deterrent to the commission of these types of schemes.

Wal-Mex & the Foreign Corrupt Practices Act

fishing-for-money-thumb

Since WalMart (Wal-Mex) and the Foreign Corrupt Practices Act have been much in the news these last few days, I thought I would do a short post on simple as opposed to commercial bribery. Simple bribery is really just an unethical business transaction in which there is an offer, a giving, a receiving, or soliciting of something of value to influence the official act of a public official. Official acts are usually defined as the acts of Federal, state or local government officials or employees. In the case of Wal-Max, the as yet unproven allegation is that payments were made to Mexican local government officials to speed up the granting of permits and other licenses and permissions to operate Wal-Mex retail locations in Mexico. Commercial bribery, on the other hand, typically involves the making of a payment to the purchasing officer of a business, to influence a commercial transaction.

Bribery most often involves either bid-rigging or kick-backs. Kick-backs are usually under the table payments made by those with products or services to sell the target business to target company employees involved in purchasing those products or services.  Sometimes the payer pays kick-backs just to get more business from the target. This behavior can be contrasted to bid-rigging where an employee of the target assists a bidder in getting a contract, usually under the competitive bidding process.

Under the classic kick-back arrangement, the provider of the service or product (the vendor) submits an invoice to the target organization for more than the goods are worth and an employee of the target company ensures that payment is made for the overpriced goods; the vendor then pays (kicks-back) a portion of the inflated payment to the internal accomplice.

In the Wal-Mex case, the allegations seem to fall somewhat closer to simple bribery in that it is alleged that payments were made to municipal or local government officials to speed up the licensing process itself rather than to grant licenses that might otherwise have been competitively bid and therefore involve bid-rigging.

Based on published sources, the alleged payments seem to have been made many years ago.