FCPA Compliance Report Tom Fox

Control Testing – Has the company reviewed and audited its compliance program in the area relating to the misconduct? More generally, what testing of controls, collection and analysis of compliance data, and interviews of employees and third-parties does the company undertake? How are the results reported and action items tracked?   
Fortunately, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 Internal Controls Framework considers assessing compliance internal controls. In “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls”, COSO laid out its views on assessing the effectiveness of internal controls. It noted that an effective system of internal controls provides “reasonable assurance of achievement of the entity’s objectives, relating to operations, reporting and compliance.” Moreover, there are two over-arching requirements that can only be met through such a structured protocol. First, each of the five components are present and functioning. Second, that the five components operate in an integrated fashion with each other. One of the most critical components of the COSO Framework is that it sets internal control standards against those which you can audit to assess the strength of your compliance internal controls. 
Three key takeaways:

An effective system of internal controls provides reasonable assurance of achievement of the company’s objectives, relating to operations, reporting and compliance.

There are two over-arching requirements for effective internal controls. First, each of the five components are present and function. Second, are the five components operating together in an integrated approach.

For an anti-corruption compliance program, you can use the Ten Hallmarks of an Effective Compliance Program as your guide to test against.


Learn more about your ad choices. Visit megaphone.fm/adchoices

The Evaluation of Corporate Compliance Programs - Guidance Document (2019 Guidance) was very clear about the need for continuous improvement in any compliance program. It stated quite succinctly, “One hallmark of an effective compliance program is its capacity to improve and evolve. The actual implementation of controls in practice will necessarily reveal areas of risk and potential adjustment. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the applicable industry standards. Accordingly, prosecutors should consider whether the company has engaged in meaningful efforts to review its compliance program and ensure that it is not stale.”  
This was further specified in the DOJ’s 2019 Guidance which listed three types of continuous improvement, each further refined with multiple attendant questions. It also added a new area of inquiry that every compliance practitioner needs to incorporate into their assessment, improvement and management cycles; culture.
 Three key takeaways:

Your compliance program should be continually evolving.

Monitoring and auditing are different, yet complimentary tools for continuous improvement.

Culture assessment and monitoring are also now required as well.


Learn more about your ad choices. Visit megaphone.fm/adchoices

There is nothing like an internal whistleblower report about a compliance violation, the finding of such an issue, or (even worse) a subpoena from the DOJ or notice letter from the SEC to trigger the Board of Directors and senior management attention to the compliance function and the company’s compliance program. Such an event can trigger much gnashing of teeth and expressions of outrage followed immediately by proclamations “We are an ethical company.” However, it may well be the time for a very serious reality check.
Three key takeaways:

A serious FCPA allegation gets the attention of the Board and senior management. Use this time to move the compliance program forward.

Be aware of how your investigation can impact and even inform your remediation efforts.

Be prepared to deal with the dreaded “where else” question.


Learn more about your ad choices. Visit megaphone.fm/adchoices

In the Episode, I visit with Dave Lefort, Editor in Chief for Compliance Week. Dave recently wrote “It’s hard to tell whether the age we’re living in is the calm before the storm or if it is the storm. One way or another, we’ll likely get some clarity in the year ahead for CCOs navigating these choppy waters.” I asked him to come on the podcast and discuss his 10 predictions on what will dominate compliance headlines in 2020.
 

Big Tech in antitrust crosshairs. Is everyone ganging up on big tech?

Deregulation. Is it real or is it Memorex? 

Recession worries: Impact on ethics and compliance. Will compliance have to do more with less or less with less? 

2020 elections. How could it impact the regulatory environment heading into 2021? 

Protecting whistleblowers. Will Congress step in where the Supreme Court gutted protection? Will Trump’s public berating of the impeachment whistleblower embolden those accused of wrongdoing to retaliate? 

Data privacy equation has changed. How so? 

GDPR: Waiting for the big one. Which US company will it be?

Regulators will reward good-faith efforts. Is it softening or a refocus?

Ethics and Artificial Intelligence: Trouble ahead? Will Skynet become self-aware? 

Supply chains, geopolitical risk, and third parties. If this is such a big problem, where are the resources to fix it? 


Resources
Dave’s article Ten Things We’ll Be Talking About in 2020
Subscribe to Compliance Week here. Use the code, NEWYEAR2020 … for a $365 for a one-year membership.
Register for Compliance Week 2020, here.
Learn more about your ad choices. Visit megaphone.fm/adchoices

After the internal report comes in and you have properly triaged the matter, you need to scope out and investigate it, promptly, thoroughly and with competent personnel. Your company should have a detailed written procedure for handling any complaint or allegation of bribery or corruption, regardless of the means through which it is communicated. The mechanism could include the internal company hotline, anonymous tips, or a report directly from the business unit involved. You can make the decision on whether or not to investigate with consultation with other groups such as the Audit Committee of the Board of Directors or the Legal Department. The head of the business unit in which the claim arose may also be notified that an allegation has been made and that the Compliance Department will be handling the matter on a go-forward basis. Through the use of such a detailed written procedure, you can work to ensure there is complete transparency on the rights and obligations of all parties, once an allegation is made. This allows the compliance team to have not only the flexibility but also the responsibility to deal with such matters, from which it can best assess and then decide on how to manage the matter.
 Three key takeaways:

A written protocol, created before an investigation, is a key starting point.

Create specific steps to follow so there will be full transparency and documentation going forward.

Consistency in approach is critical.


Learn more about your ad choices. Visit megaphone.fm/adchoices

The call, email or tip comes into your office; an employee reports suspicious activity somewhere across the globe. That activity might well turn into a FCPA issue for your company. As the CCO, it will be up to you to begin the process which will determine, in many instances, how the company will respond going forward.
This scenario was driven home by the SEC in a 2015 FCPA enforcement action involving Mead Johnson Nutrition Company. In this enforcement action, the company performed two internal investigations into allegations that its Chinese business unit was engaged in conduct which violated the FCPA. Unfortunately, the first investigation, performed in 2011, did not turn up any evidence of FCPA violations. It was not until 2013, when the SEC made an inquiry to the company that it performed an adequate internal investigation which uncovered FCPA violations.
Three key takeaways:

The DOJ and SEC put special emphasis on internal reporting lines.

Test your hotline on a regular basis to make sure it is working.

Have a triage protocol in place before the call comes in so you will be ready to go and not required to scramble to create a protocol.


Learn more about your ad choices. Visit megaphone.fm/adchoices