Fcpa Compliance Report

The basic framework for internal controls is derived from the COSO Model developed by the Committee of Sponsoring Organizations of the Treadway Commission in 1992 (COSO). This model has become the standard for an internal control framework and provides a structure to ensure companies address the key elements that should result in an effective system of internal controls. Using the COSO Model, as modified in 2013, provides a very supportable approach when regulators challenge whether a company has effective internal controls. The COSO Model defines internal controls in a pyramid, from bottom to top, as follows: (a) Control environment, (b) Risk assessment, (c) Control activities, (d) Information and communication, and (e) Monitoring. Which internal controls does a company need to institute? Each company defines its internal controls to fit its business by determining what the Company wishes to protect and what type of control environment does it want to have in place. This means that they can be less formal in

In this episode, Matt and I take a look at the sorry story of Chris Correa, the St. Louis Cardinal executive convicted of hacking into the Houston Astros computer system, which expanded last month when Federal Judge Lynn Hughes unsealed details about the extent of the illegal conduct. For all his efforts, Correa was severely punished by Judge Hughes at this sentencing. Hughes accepted the US government’s recommendation in sentencing Correa to 46 months of incarceration and fining him some $300,000. Correa was also banned from Major League Baseball (MLB) for life by Commissioner Rob Manfred.  Matt and I have both blogged on this matter. Matt takes a look at some of the lessons to be garnered by the compliance professional in his post, Two Compliance Lessons from the Baseball World. I delved into the facts to mine some interesting tidbits and consider how to compensate a business when you have stolen their IP, in blog post Of Greek Gods and Data Breaches.  Rather amazingly the Greek gods make an appearance pro

Where does “Tone at the Top” start. With any public and most private US companies, it is at the Board of Directors. But what is the role of a company’s Board in FCPA compliance? We start with several general statements about the role of a Board in US companies. First a Board should not engage in management but should engage in oversight of a CEO and senior management. The Board does this through asking hard questions, risk assessment and identification. In a White Paper, entitled “Risk Intelligence Governance-A Practical Guide for Boards” Deloitte & Touche laid out six general principles to help guide Boards in the area of risk governance. These six areas can be summarized as follows:  Define the Board’s Role-there must be a mutual understanding between the Board, CEO and senior management of the Board’s responsibilities. Foster a culture of risk management-all stakeholders should understand the risks involved and manage such risks accordingly. Incorporate risk management directly into a strategy-oversee t

The Office of Inspector General (OIG), Department of Health and Human Resources, issued a paper entitled “Practical Guidance for Health Care Governing Boards on Compliance Oversight” (the OIG Guidance). It provides an excellent road map for thinking about how to structure a Compliance Committee for your Board and a Board’s obligations.  As an introduction, the OIG Guidance states that a Board must act in good faith around its obligations regarding compliance. This means that there must be both a corporation information and reporting system and that such reporting mechanisms provide appropriate information to a Board. It stated, “The existence of a corporate reporting system is a key compliance program element, which not only keeps the Board informed of the activities of the organization, but also enables an organization to evaluate and respond to issues of potentially illegal or otherwise inappropriate activity.” The OIG Guidance sets out four areas of Board oversight and review of a compliance function; “(1)

Every Board of Directors need a true compliance expert sitting on their Board. Almost every Board has a former Chief Financial Officer (CFO), former head of Internal Audit or persons with a similar background and often times these are also the Audit Committee members of the Board. Such a background brings a level of sophistication, training and subject matter expertise that can help all companies with their financial reporting and other finance based issues. So why is there not such compliance subject matter expertise at the Board level?  An arm of the US government has recognized the need for such expertise at the Board level. In 2015 the Office of Inspector General (OIG) has called for greater compliance expertise at the Board level. The OIG said that a Board can raise its level of substantive expertise with respect to regulatory and compliance matters by adding to the Board, a compliance member. The presence of a such a compliance professional with subject matter expertise on the Board sends a strong mess

Under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The US Department of Justice (DOJ) Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment? Moreover, the FCPA Guidance requires a CCO to have direct access to the Board or an appropriate sub-committee. The Guidance also requires a tangible commitment from the top levels of an organization, starting with the Board of Directors that the company create an ethical culture. At the Board of Directors level, a Board Compliance Committee can devote itself exclusively to non-financial compliance, such as FCPA compliance. While many companies have fulfilled these obligations through an Audit Committee, clearly the better practice is to have a separate Compliance Committee. The reason is clear, that complian

Show Notes for Episode 6, the Rolls-Royce Global Corruption Enforcement Action This episode is dedicated exclusively to the Rolls-Royce global corruption enforcement action.  Jonathan Armstrong leads a discussion the UK side of the enforcement action. For the Cordery Compliance client alert on Rolls-Royce, see Rolls-Royce case sends a strong signal Jay Rosen considers what companies which did business with RR should do now or even companies in the same or similar industries should consider in the face of the enforcement action. For Jay’s post on Rolls-Royce, see Rolls-Royce Takes Global Anti-Corruption to New International Heights + Potential Next Steps for a CCO Whose Company has Bid/Worked with Rolls-Royce Mike Volkov talks about the types of resolution documents used in anti-compliance enforcement and some of the key strategy used by RR during the process to achieve their positive result. For Mike Volkov’s post on Rolls-Royce, see Serious Fraud Office Makes Big Splash with UK Bribery Act Resolutio

What are the obligations of a Board member regarding the FCPA? Are the obligations of the Compliance Committee under the FCPA at odds with a director’s “prudent discharge of duties to shareholders”? Do the words prudent discharge even appear anywhere in the FCPA? In webinar, entitled “Reporting to the Board on Your Compliance Program: New Guidance and Good Practices”, Rebecca Walker and Jeffery Kaplan, explored these and other issues. As to the specific role of ‘Best Practices’ in the area of general compliance and ethics, Walker looked to Delaware corporate law for guidance. She cited to the case of Stone v. Ritter for the proposition that “a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate exists.” From the case of In re Walt Disney Company Derivative Litigation, she drew the principle that directors should follow the best practices in the area of ethics and compliance. In a recent Compliance Week article, Melissa Aguilar examin

Case Law As to the specific role of ‘Best Practices’ in the area of general compliance and ethics, one can look to Delaware corporate law for guidance. The case of In Re Caremark International Inc. was the first case to hold that a Board’s obligation “includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.” In the case of Stone v. Ritter, the Supreme Court of Delaware expanded on the Caremark decision by establishing two important principles. First, the Court held that the Caremark standard is the appropriate standard for director duties with respect to corporate compliance issues. Second, the Court found that there is no duty of good faith that forms a basis, independent of the duties of care and loyalty, for director liability. Rather, Stone v. Ri

John MacKessy, writing in the Finance Professionals’ Post, in a piece entitled “Knowledge of Good and Evil: A Brief History of Compliance”, noted that the FCPA and Environmental Protection Act (EPA) “prompted companies to develop internal resources that would actively monitor compliance with the laws, rules, and regulations of their industries.” The next step in the evolution of the compliance profession was the defense procurement scandals from the 1980s, where the industries sales of “$400 hammers and $600 toilet seats” to the US government led to the Defense Industry Initiative (DII). This industry led initiative created “a set of principles endorsing ethical business practices and conduct” within the defense industry for its dealings with the US government. The next step in the evolution of the compliance profession was the 1992 US Sentencing Guidelines which, for the first time, set out what the government would consider for credit in sentencing of organizations. Many tribute these 1992 Sentencing Guidel

Today is the penultimate day of my 30 days to a better compliance program. Just as compliance programs sprang up, grew and began to evolve and mature in the middle of the last decade; the sophistication of the regulators has also increased. We most clearly see this in the appointment of the Department of Justice (DOJ) Compliance Counsel, Hui Chen.  With her initial public remarks, Chen provided insight into how she would consider the effectiveness of a compliance program. Her key point was companies should operationalize their compliance program by tying it to functional disciplines within your company. This means that Human Resources (HR), Payment, Audit, Vendor Management and similar corporate disciplines should be involved in the operation of your compliance program in their respective areas of influence. Then in April 2016 under the remediation prong, with the initiation of the DOJ Pilot Program around FCPA enforcement, the DOJ once again emphasized the operationalization of a company’s compliance program

Employment separations can be one of the trickiest maneuvers to manage in the spectrum of the employment relationship. Even when an employee is aware layoffs are coming it can still be quite a shock when Human Resources (HR) shows up at their door and says, “Come with me.” However, layoffs, massive or otherwise, can present some unique challenges for the FCPA compliance practitioner. Employees can use layoffs to claim that they were retaliated against for a wide variety of complaints, including those for concerns that impact the compliance practitioner. Yet there are several actions you can take to protect your company as much as possible.  Before you begin your actual layoffs, the compliance practitioner should work with your legal department and HR function to make certain your employment separation documents are in compliance with the SEC retaliatory language prohibition which attempts prevent employees from bringing potential violations to appropriate law or regulatory enforcement officials. If your compa

As they made clear with several FCPA enforcement actions in 2016, the SEC has placed a renewed interest in the accounting provisions of the FCPA, specifically the internal controls provisions. The BHP enforcement continued this trend, where there was no evidence that bribes were paid or offered in violation of the FCPA,  the poor internal compliance controls at BHP led to a $25MM fine. Indeed Kara Brockmeyer, Chief, FCPA Unit; Division of Enforcement of the SEC, reiterated that the SEC was committed to protecting investors in US public companies and those which list other securities in the US, through enforcement of the accounting provisions, including internal controls provisions of the FCPA. It would seem that the reason is straightforward; a company with rigorous internal compliance controls is better able to prevent, detect and remedy any FCPA violations that may occur. What can you do around the FCPA’s requirements for internal controls and current SEC emphasis? I would suggest that you begin with an exe

Many Chief Compliance Officers (CCOs) and compliance practitioners struggle with metrics to demonstrate revenue generation. Most of the time, such functions are simply viewed as non-revenue generating cost drags on business. This may lead to compliance functions being severely reduced in this downturn. However I believe such cuts would be far from short-sighted; they would actually cost energy companies far more in the short and long term. In an economic downturn, I see two increasing compliance risks for companies. The first is that companies will attempt to reduce their costs by cutting their compliance personnel. A tangent but equally important component of this will be that companies that do not invest the monies needed to beef up their oversight through monitoring or other mechanisms are setting themselves up for serious compliance failures. Moreover, what will be the pressure on the business folks of such companies to ‘get the deal done’? Further, if there is a 10% to 30% overall employee reduction, wha

Today, I the Holy Grail of compliance –Return on Investment—for your compliance program. In a very interesting article by Paul Healy and George Serafeim entitled, “An Analysis of Firms’ Self-Reported Anticorruption Efforts”. In this academic paper, the authors looked at the issue of not simply profitability of companies, which had more robust anti-corruption compliance programs but also what was the direct effect on the companies’ return on equity (ROE) in countries which were perceived to have a high incidence of corruption. Not surprisingly, in countries in a low risk for corruption, there was not much difference in the sales growth for companies with robust anti-corruption compliance programs and those business which into the authors’ ‘cheap talk’ category. However when it came to growth in countries which had a high propensity of corruption, there was a dramatic difference. When quantitative types say, “The magnitudes of the estimated coefficients are economically interesting”; it is a HUGE deal. These fi

I often write about the nuts and bolts of an effective compliance program but one of the most basic things that an effective compliance program must have is a compliance department present to ask the basic questions of compliance to and receive an answer from. I think to the DOJ and SEC this means a couple of things. First, and foremost, there must be the requisite number of resources dedicated to the compliance function. This means that a compliance department must be staffed with an appropriate number of compliance professionals to do the day-to-day basic work of compliance. Head count is always important in any corporation but there must be some minimum number of people in the compliance department to answer the phone or respond to email.  But, equally important to this resource issue is providing centralized assistance and what the FCPA Guidance says is “to provide guidance and advice on complying with a company’s ethics and compliance program”. In other words, it is up the corporation to have someone the

Every Board of Directors need a true compliance expert sitting on their Board. Almost every Board has a former Chief Financial Officer (CFO), former head of Internal Audit or persons with a similar background and often times these are also the Audit Committee members of the Board. Such a background brings a level of sophistication, training and subject matter expertise that can help all companies with their financial reporting and other finance based issues. So why is there not such compliance subject matter expertise at the Board level? An arm of the US government has recognized the need for such expertise at the Board level. In 2015 the Office of Inspector General (OIG) has called for greater compliance expertise at the Board level. The OIG said that a Board can raise its level of substantive expertise with respect to regulatory and compliance matters by adding to the Board, a compliance member. The presence of a such a compliance professional with subject matter expertise on the Board sends a strong messa

In this episode I visit with Jonathan Armstrong about the UK portion of the Rolls-Royce global anti-corruption settlement. We discuss the UK Deferred Prosecution Agreement, how it came about, what it might mean for the Serious Fraud Office going forward and how the judicial review of the UK DPA process adds a level of transparency not seen in the United States DPA practice.  For more on the Rolls-Royce settlement see: Cordery Compliance client alert, click here.  FCPA Compliance Blog articles on the settlement, Part I and Part II Learn more about your ad choices. Visit megaphone.fm/adchoices

Continuous improvement requires that you not only audit third parties but also monitor whether employees are staying with the compliance program. In addition to the language set out in the FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs. Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. Many compliance practitioners understand you should be checking in routinely with local finance departments in your foreign offices to ask if they have noticed recent accounting irregularities. Regional directors should

Show Notes for Episode 5, Year End Review, Part II  We turn to the 2016 year in review, in this Part II of a two-part series.   Jonathan Armstrong leads a discussion on Privacy Shield, information and data privacy issues the past year.   Mike Volkov relates what he saw as the top enforcement highlights from 2016, the block-buster year for FCPA fines and penalties and the growing trend of globalization of enforcement. Matt Kelly discusses the arrival of front pay, and general escalation of retaliation risk for company’s vis-a-vis whistleblowers, ideas on auditing corporate culture and what types of data and information should go on a compliance dashboard.  For Matt’s posts on these topics see the following: Another Front in Retaliation Risk: Front Pay Ideas on Auditing Organizational Culture What Goes on a Compliance Dashboard?  Rants will return next week.  The members of the Everything Compliance panel include: Jay Rosen (Mr. Translations) – Jay is Vice President of Legal & Corporate Language Solutions