Reducing Adverse Legal Consequences Through FCPA Remediation

The remediation team gains comfort through an auditing process called “negative assurance,” which means conducting audit procedures to search for risk indicators or “red flags.”

• Perpetrator Misconduct ' Do not be fooled by tears, apologies or expressions of regret; perpetrators rarely come completely clean. Use COSO risk assessment procedures to identify other ways that the perpetrators may have engaged in misconduct. (COSO is an acronym for the Committee of Sponsoring Organizations of the Treadway Commission.) Develop key risk indicators, and conduct audit procedures, including data analytics, transaction testing and interviews, to gain negative assurance.
• Misconduct by Others ' Use the root cause analysis to frame procedures to gain assurance that similar misconduct has not occurred elsewhere in the organization. If the misconduct arose from poor operating effectiveness, test whether control activities are operating effectively in a sample of other locations. If, however, the problem was one of design effectiveness, the team might need to conduct substantive forensic audit procedures to search for red flags of similar misconduct.

Corruption Risk & Controls Register

The DOJ and SEC specifically evaluate an organization's corruption risk assessment process when assessing a company's compliance program. FCPA deferred prosecution agreements usually include a requirement that the company identify and assess risks of potential foreign bribery.

Corruption risk assessments generally involve: 1) identifying interactions between the organization and public officials; and 2) potential methods to pay bribes. Begin by developing a framework that the company can use day-to-day. Suggested fields include: 1) Description of bribe scheme or scenario; 2) Source for including scheme in inventory; 3) impacted business units or functions; 4) inherent likelihood and significance (this refers to assessing risk without regard to existing controls); 5) preventive and detective controls; 6) residual likelihood and significance; and 7) residual risk response, including forensic data analytics.

Once the corruption risk assessment process is formulated, the next step is to develop an inventory of potential bribe schemes. Remediation advisers can jumpstart the process, if they have prepared industry risk inventories. Perform interviews and hold focus groups among relevant business unit and function leaders. Consider past allegations at the company, as well as the results of internal audits and business reviews of foreign business units and functions.

The team then assesses the likelihood and significance of a scheme occurring on an “inherent” basis; that is, without regard to existing controls. The next step is to link and evaluate controls relied upon by the organization to mitigate risks assessed as likely or significant. If existing controls do not lower the risk to an acceptable level, the team must devise a residual risk response, typically combining preventive and detective controls and forensic data analytics.””

Keep the register up-to-date. This critical, but often overlooked, step is simple and not time-consuming, if the organization assigns responsibility for updating the register based on new whistleblower allegations, internal audits, business reviews and media reports.'

Control Environment and Entity-Level Controls

The DOJ and SEC, as well as U.S. Sentencing Guidelines (USSG) criteria of an effective ethics and compliance program, require companies to take steps to enhance the control environment. DOJ Deferred Prosecution Agreements typically require that the organization:”

• Promote an organizational culture that encourages ethical conduct and a culture of compliance;
• Use reasonable efforts not to include within the substantial-authority-personnel of the organization any individual whom the company knew, or should have known, engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program;
• Develop “clearly articulated” FCPA policies;
• Assign a corporate executive with responsibility for the implementation and oversight of compliance standards and procedures; authority to report matters directly to the Board; and appoint heads of compliance for each of its business units;
• Develop mechanisms to communicate policies, standards and procedures to all directors, officers, employees,' agents and business partners, to include periodic training and annual certification; and
• Develop a system for: 1) providing guidance and advice; 2) reporting information on a confidential basis; and 3) responding to reports of misconduct or requests for advice.'

Transaction-Level Controls

Transaction-level controls refer to procedures to ensure compliance and prevent and detect non-compliance with specific company policies. Organizations need to guard against weaknesses in both design and operating effectiveness. Design flaws involve inadequate protection against collusion, management override, unauthorized access and other forms of controls circumvention. Operating effectiveness refers to whether the controls are functioning as designed.'

The remediation program must develop or enhance transaction-level controls to prevent recurrence of misconduct identified during the FCPA investigation, as well as to prevent significant risks identified during the corruption risk assessment. Common DOJ and SEC mandated transaction-level controls enhancements require that the organization:'

Promulgate controls governing gifts, hospitality, customer travel, political contributions, charitable donations, facilitation payments, solicitation and extortion;

Modify internal controls so that they are reasonably designed to ensure accurate books, records, and accounts to ensure that they cannot be used for the purpose of foreign bribery or concealing misconduct;

Institute diligence and compliance requirements related to all agents and business partners, to include: 1) documented risk-based diligence; and 2) informing agents of the company's commitment to abiding by the law; and

Include standard provisions in agreements, contracts and renewals for all agents and business partners pertaining to anti-corruption, concerning anticorruption representations and undertakings, rights to conduct audits, and rights to terminate as a result of any breach of anticorruption laws and regulations or representations and undertakings.

Collusion and Management Override

Even the best anticorruption entity and transaction-level controls might be vulnerable to potential collusion, management override or other circumvention. To mitigate this risk, the remediation analyses should also assess whether management in the targeted areas have “bought into” an effective anti-corruption program. Interviews of these individuals, and their direct reports, are often useful in assessing future risks. Compliance should be built into the compensation, goals and evaluation process of country and regional managers. The remediation team should also assess the design of the controls, including compensation controls to guard against collusion and override, and should validate operating effectiveness to ensure that employees and third parties are complying with enhanced policies and controls.

Discipline

Companies must take consistent and appropriate action. Discipline of primary actors is a given ' but beware of business leaders trying to protect otherwise high-producing personnel.

Secondary actors pose the greater challenge. These include business leaders exerting undue pressure and poor supervision, as well as bystanders failing to report observed misconduct. Employees involved in financial reporting pose special challenges, as external auditors will be reluctant to place reliance on, or accept representations from individuals suspected of having engaged in misconduct.'

Periodic Third-Party Review

Remediation programs require periodic review to ensure the effectiveness of remedial efforts. Prompt and proactive action is essential, if the company is to avoid a government-imposed compliance monitor or independent consultant. A company can beat the government to the punch by voluntarily installing its own monitor. This strategy works, however, only if company's monitor is highly credible and completely independent.'

Incident Response and Remediation

Finally, an effective FCPA remediation must include a response plan for if and when future allegations of corruption arise. FCPA settlement agreements typically require companies to:

• Develop a process for responding to allegations of violations of anti-corruption laws; and
• Maintain mechanisms for making and handling reports and complaints related to potential violations of anti-corruption compliance issues, including a process for investigating and ensuring that appropriate remedial measures are undertaken.

Conclusion

FCPA allegations are akin to angina attacks. Respond appropriately and life continues as normal (or close to it). Fail to remediate to the satisfaction of the DOJ or SEC and the organization faces the corporate equivalent of a heart attack. Organizations can satisfy these agencies' expectations by following the recommendations we have discussed.

Jonny Frank, a partner in the New York office of the StoneTurn Group, served for 12 years as a federal prosecutor and 14 years as a partner from PwC, where he founded and led the Investigations and Fraud Risks & Controls Groups. Rex Homme, a partner in StoneTurn's Chicago office, has over 20 years' experience supporting law firms and companies to prevent, detect, and investigate fraud and corruption worldwide.

'

'

In last month's issue, we observed that both the Department of Justice (DOJ) and the Securities Exchange Commission (SEC) have placed what they term a “high premium” on remediation efforts made by companies that discover or are accused of violations of the Foreign Corrupt Practices Act (FCPA). In many cases, the punishments meted out for such violations will be diminished if a company is proactive in working to limit an FCPA violation's effects and ensure that future breaches will not occur. We continue our discussion herein.

Other Misconduct

Imagine the embarrassment and severe legal consequences if, subsequent to learning of and dealing with a bribery or fraud situation, the company, or worse, the government, discovers that the perpetrators engaged in other wrongdoing or that the misconduct the company claimed was isolated actually pervades' across the organization. With this in mind, companies must make every effort to flush out other misconduct by the perpetrators of fraud or bribery, or similar misconduct by others in the organization.'

The remediation team gains comfort through an auditing process called “negative assurance,” which means conducting audit procedures to search for risk indicators or “red flags.”

• Perpetrator Misconduct ' Do not be fooled by tears, apologies or expressions of regret; perpetrators rarely come completely clean. Use COSO risk assessment procedures to identify other ways that the perpetrators may have engaged in misconduct. (COSO is an acronym for the Committee of Sponsoring Organizations of the Treadway Commission.) Develop key risk indicators, and conduct audit procedures, including data analytics, transaction testing and interviews, to gain negative assurance.
• Misconduct by Others ' Use the root cause analysis to frame procedures to gain assurance that similar misconduct has not occurred elsewhere in the organization. If the misconduct arose from poor operating effectiveness, test whether control activities are operating effectively in a sample of other locations. If, however, the problem was one of design effectiveness, the team might need to conduct substantive forensic audit procedures to search for red flags of similar misconduct.

Corruption Risk & Controls Register

The DOJ and SEC specifically evaluate an organization's corruption risk assessment process when assessing a company's compliance program. FCPA deferred prosecution agreements usually include a requirement that the company identify and assess risks of potential foreign bribery.

Corruption risk assessments generally involve: 1) identifying interactions between the organization and public officials; and 2) potential methods to pay bribes. Begin by developing a framework that the company can use day-to-day. Suggested fields include: 1) Description of bribe scheme or scenario; 2) Source for including scheme in inventory; 3) impacted business units or functions; 4) inherent likelihood and significance (this refers to assessing risk without regard to existing controls); 5) preventive and detective controls; 6) residual likelihood and significance; and 7) residual risk response, including forensic data analytics.

Once the corruption risk assessment process is formulated, the next step is to develop an inventory of potential bribe schemes. Remediation advisers can jumpstart the process, if they have prepared industry risk inventories. Perform interviews and hold focus groups among relevant business unit and function leaders. Consider past allegations at the company, as well as the results of internal audits and business reviews of foreign business units and functions.

The team then assesses the likelihood and significance of a scheme occurring on an “inherent” basis; that is, without regard to existing controls. The next step is to link and evaluate controls relied upon by the organization to mitigate risks assessed as likely or significant. If existing controls do not lower the risk to an acceptable level, the team must devise a residual risk response, typically combining preventive and detective controls and forensic data analytics.””

Keep the register up-to-date. This critical, but often overlooked, step is simple and not time-consuming, if the organization assigns responsibility for updating the register based on new whistleblower allegations, internal audits, business reviews and media reports.'

Control Environment and Entity-Level Controls

The DOJ and SEC, as well as U.S. Sentencing Guidelines (USSG) criteria of an effective ethics and compliance program, require companies to take steps to enhance the control environment. DOJ Deferred Prosecution Agreements typically require that the organization:”

• Promote an organizational culture that encourages ethical conduct and a culture of compliance;
• Use reasonable efforts not to include within the substantial-authority-personnel of the organization any individual whom the company knew, or should have known, engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program;
• Develop “clearly articulated” FCPA policies;
• Assign a corporate executive with responsibility for the implementation and oversight of compliance standards and procedures; authority to report matters directly to the Board; and appoint heads of compliance for each of its business units;
• Develop mechanisms to communicate policies, standards and procedures to all directors, officers, employees,' agents and business partners, to include periodic training and annual certification; and
• Develop a system for: 1) providing guidance and advice; 2) reporting information on a confidential basis; and 3) responding to reports of misconduct or requests for advice.'

Transaction-Level Controls

Transaction-level controls refer to procedures to ensure compliance and prevent and detect non-compliance with specific company policies. Organizations need to guard against weaknesses in both design and operating effectiveness. Design flaws involve inadequate protection against collusion, management override, unauthorized access and other forms of controls circumvention. Operating effectiveness refers to whether the controls are functioning as designed.'

The remediation program must develop or enhance transaction-level controls to prevent recurrence of misconduct identified during the FCPA investigation, as well as to prevent significant risks identified during the corruption risk assessment. Common DOJ and SEC mandated transaction-level controls enhancements require that the organization:'

Promulgate controls governing gifts, hospitality, customer travel, political contributions, charitable donations, facilitation payments, solicitation and extortion;

Modify internal controls so that they are reasonably designed to ensure accurate books, records, and accounts to ensure that they cannot be used for the purpose of foreign bribery or concealing misconduct;

Institute diligence and compliance requirements related to all agents and business partners, to include: 1) documented risk-based diligence; and 2) informing agents of the company's commitment to abiding by the law; and

Include standard provisions in agreements, contracts and renewals for all agents and business partners pertaining to anti-corruption, concerning anticorruption representations and undertakings, rights to conduct audits, and rights to terminate as a result of any breach of anticorruption laws and regulations or representations and undertakings.

Collusion and Management Override

Even the best anticorruption entity and transaction-level controls might be vulnerable to potential collusion, management override or other circumvention. To mitigate this risk, the remediation analyses should also assess whether management in the targeted areas have “bought into” an effective anti-corruption program. Interviews of these individuals, and their direct reports, are often useful in assessing future risks. Compliance should be built into the compensation, goals and evaluation process of country and regional managers. The remediation team should also assess the design of the controls, including compensation controls to guard against collusion and override, and should validate operating effectiveness to ensure that employees and third parties are complying with enhanced policies and controls.

Discipline

Companies must take consistent and appropriate action. Discipline of primary actors is a given ' but beware of business leaders trying to protect otherwise high-producing personnel.

Secondary actors pose the greater challenge. These include business leaders exerting undue pressure and poor supervision, as well as bystanders failing to report observed misconduct. Employees involved in financial reporting pose special challenges, as external auditors will be reluctant to place reliance on, or accept representations from individuals suspected of having engaged in misconduct.'

Periodic Third-Party Review

Remediation programs require periodic review to ensure the effectiveness of remedial efforts. Prompt and proactive action is essential, if the company is to avoid a government-imposed compliance monitor or independent consultant. A company can beat the government to the punch by voluntarily installing its own monitor. This strategy works, however, only if company's monitor is highly credible and completely independent.'

Incident Response and Remediation

Finally, an effective FCPA remediation must include a response plan for if and when future allegations of corruption arise. FCPA settlement agreements typically require companies to:

• Develop a process for responding to allegations of violations of anti-corruption laws; and
• Maintain mechanisms for making and handling reports and complaints related to potential violations of anti-corruption compliance issues, including a process for investigating and ensuring that appropriate remedial measures are undertaken.

Conclusion

FCPA allegations are akin to angina attacks. Respond appropriately and life continues as normal (or close to it). Fail to remediate to the satisfaction of the DOJ or SEC and the organization faces the corporate equivalent of a heart attack. Organizations can satisfy these agencies' expectations by following the recommendations we have discussed.

Jonny Frank, a partner in the New York office of the StoneTurn Group, served for 12 years as a federal prosecutor and 14 years as a partner from PwC, where he founded and led the Investigations and Fraud Risks & Controls Groups. Rex Homme, a partner in StoneTurn's Chicago office, has over 20 years' experience supporting law firms and companies to prevent, detect, and investigate fraud and corruption worldwide.

'

'