Editor: How are companies responding to increased global regulatory coordination and sophistication with regard to anti-bribery and corruption (“ABC”) enforcement efforts?
deGrasse: The government’s enforcement efforts certainly have become more sophisticated. The DoJ and SEC, for example, are emphasizing to companies the need for ABC compliance programs to create a control environment that contains an integrated set of “front-end” and “back-end” controls. The former category includes authorization procedures in a variety of contexts – controls that counsel often draft. “Back-end” controls are financial in nature and relate to the expenditure of company assets, including disbursements, reimbursements and sales channel support, such as rebates and discounts. The government is taking an increasingly holistic view of ABC compliance programs, and companies have responded by designing and implementing more comprehensive programs. This is a trend that we expect will continue.
The elements of compliance programs include the design and implementation of standards meant to reduce ABC risk, as well as monitoring of these standards to determine whether they are being followed in practice. In addition to its own monitoring of internal audits, the government increasingly wants to see companies engaged in a continuous monitoring of transactions and, where possible, the use of automation and data analytics to further that effort – a point I believe Jon will discuss in further detail. This monitoring is in addition to the traditional formal monitoring function performed by internal audit departments. Continuous monitoring presents companies with real challenges from an automation perspective; companies will be stepping up efforts to automate and enhance their monitoring capabilities.
Editor: What are the most common reasons that compliance plans fail?
deGrasse: Companies tend to do well during the design phase, whether on their own or in collaboration with outside advisors. In our experience, plans fail because they aren’t implemented or monitored properly, which can thwart even the best risk assessments and render well-designed plans ineffective, much to the company’s surprise and chagrin.
The implementation process is time consuming and requires a sustained effort to drive and monitor its progress. Companies don’t realize that attention to these issues tends to drop off after finalizing the policies and procedures, posting them on its intranet site (or otherwise distributing them) and completing a first round of training. Human nature and differing cultural experience dictates that a sustained training and monitoring effort is required if enhanced procedures are to be implemented and followed to an acceptable degree. Monitoring provides the measurement of the degree to which controls are implemented and functioning as designed.
Another compliance challenge involves the tension between global consistency in procedures and controls and the need for controls that are customized to individual markets in which the company does business. Global consistency promotes efficiencies in design, implementation and monitoring – and makes it much more likely that the ABC program will meet the government’s expectations of an effective program. On the other hand, if plans are not customized to incorporate local challenges and attributes, employees in overseas jurisdictions may view the ABC program as impractical and unworkable for their market and, therefore, will be reluctant to buy into it.
Finally, insufficient training is a real issue. Obviously, training must cover regulatory requirements, and it should cover the legal elements within FCPA compliance. Training in native languages is also critical, something that most companies now realize and are taking considerable pains to provide. As a lawyer, I must admit that lawyers can be less-than-ideal trainers because we tend to emphasize statutory legal elements, exceptions or defenses and focus on how the company and individuals can reduce their legal exposure. Lay personnel don’t necessarily relate to these concepts or understand how the statute impacts their everyday responsibilities.
Editor: So who should be delivering this training?
deGrasse: First, if external advisors are doing the training, it is necessary that in-house people actively participate. This promotes better buy-in from employees because an internal colleague carries some weight. Second, training should be tailored to the audience. For instance, when training finance people, the best trainers will have a finance background; for operational employees, a compliance person with operational experience is ideal. Third, to the extent that lawyers are involved, they should consciously seek to design a presentation in layman’s language – in collaboration with local supervisors who can provide real-life situations that will help drive learning through the use of hypothetical scenarios.
Editor: How has data analytics evolved in this context? What is the government’s expectation?
Zdimal: In current day, companies continue to enhance capabilities to capture massive amounts of data – both financial and operational in nature. Some clients are beginning to realize the power of leveraging this data in the fight against corruption and bribery.
There appears to be a trending interest involving companies seeking innovative ways to incorporate data and analytics into their compliance program initiatives – for example, to support risk assessments or compliance-monitoring-type activities. Data analytics can be a very powerful tool, offering companies a surgical, cost-effective approach, to harvest, query and analyze voluminous amounts of data in a very focused and meaningful manner – all with a view towards identifying potentially anomalous patterns, behaviors or attributes possibly indicative of non-compliance concerns. This in turn helps clients focus valuable time and resources in a more precise, risk-based manner.
In my experience, the regulators are becoming very sensitized to the concept that companies (and investigators alike) have access to these cutting-edge techniques to query and analyze considerable amounts of data in a compliance and/or investigative setting. I do think there is a continued, but ever-evolving, expectation that companies maintain a comprehensive understanding of their systems and sources of data, including a sound understanding of the capabilities to access, query and evaluate that data in a meaningful way. In this day and age, data and analytics have to be a part of almost any conversation – particularly in the context of compliance-monitoring-type activities or in an investigative setting. In my opinion, there is a growing expectation from the regulators in that regard.
Editor: How do regulatory risks tie in with a company’s industry?
Zdimal: In general, any company operating in a foreign jurisdiction is likely to face some element of FCPA non-compliance risk, meaning its foreign operations likely require some level of government interface.
Looking past the more obvious scenario of marketing and selling directly to government-based customers, FCPA-based risk can have a much broader reach, regardless of industry. Risk could undoubtedly stem from normal-course operational activities, such as sourcing, manufacturing, distribution or even cross-border logistics. Brick-and-mortar operations also face FCPA-based risk in the context of constructing and operating facilities – for example, interfacing with environmental boards, licensing and permitting associated with new construction and/or operations, site inspections, and labor considerations, among others. Many clients overlook a common situation of possible heightened risk involving paying taxes in foreign jurisdictions. In the course of evaluating and paying taxes in a foreign market, there will likely be some level of interaction with the foreign taxation authorities – whether directly or through use of an intermediary.
Editor: Which industries have been under scrutiny? Are companies learning from their experiences?
deGrasse: An incomplete list would include oil and gas, aerospace, defense, medical device and pharmaceutical industries – all have been the subject of multiple government enforcement actions and prosecutions. The entertainment industry has also seen some government scrutiny. Once the government becomes acquainted with the risk profile of a company and the nuances associated with that company’s industry, it can more efficiently investigate and, where appropriate, prosecute peer companies.
I should point out a common misperception that companies not in so-called high-risk industries have lower FCPA risk profiles. The lessons from prior regulatory activity are a great starting point and an objective tool to help companies begin their evaluation of ABC-related risk and assist in prioritizing compliance and internal audit activities. The mistake companies often make is failing to recognize that this tool is merely the starting point for the risk assessment process. A company not in a recognized high-risk industry consequently may become complacent in creating and maintaining an ABC compliance program. What really drives a risk profile is not the industry per se but rather the government touchpoints within a company’s operations, the quality of its own personnel and its current control environment. Recent developments have shown that FCPA risk can be found in any industry – even industries traditionally deemed to be low risk, such as retail.
Editor: What additional factors affect a company’s FCPA risk profile?
deGrasse: The statute itself obviously is geographically sensitive. Government interactions are dictated not only by the company’s operational footprint but also by jurisdiction, including nuances such as the degree of infiltration into everyday business activities by central and local governments. A private transaction in the U.S. may be subject to FCPA in socialized economies because, while in the U.S. the party receiving a bribe is a private entity, that entity in the socialized economy may be considered a government official. Doctors and journalists are but two examples of such third parties.
Almost all companies will have regulatory interactions that can generate some degree of ABC-related risk. As Jon noted, brick-and-mortar operations often will need certain permits in order to operate and will be subject to foreign taxes. Businesses may import or export material across international borders – in some countries, even domestic transport across provincial borders can generate high-risk government interactions.
Companies also need to assess risk exposure in the sales channel, as Jon noted. Companies may need licenses to make sales, especially in relation to goods that impact public health or relate to national security. They also need to pay attention to discount and rebate policies and procedures as well as the use of gift cards. Companies that sell to government entities may face significantly heightened ABC risk in dealing with government bidding processes.
Another factor that determines risk is the sophistication of internal controls and accounting systems and the number of different accounting systems that exist across markets. Multiple systems create significant challenges from a design, implementation and monitoring perspective.
An often-overlooked factor is the need to make conscious decisions about the quality of your teams on the ground. An experienced team in a high-risk market may help significantly reduce ABC-related risk in a high-risk jurisdiction, while an inexperienced team – or perhaps one with a record of non-compliance – surely will increase risk in a low-risk jurisdiction. Personnel certainly are only one variable in the risk assessment process, but they are an important one that companies sometimes overlook while relying on tools such as the Transparency International indices that are designed to be but one arrow in the compliance officer’s quiver.
One last point on this topic addresses compensation systems, which can incentivize inappropriate behavior in order to meet specific pre-set goals. Is compliance taken into account when conducting employee evaluations? Do you specifically reward employees whose business units have had no known compliance issues and penalize employees whose departments fail to maintain an acceptable rate of compliance? The government is interested in how a company balances motivation to meet financial targets with the need to recognize and reward compliance with law and company policy.
Editor: The use of third-party intermediaries (TPIs) as conduits to pay bribes is a longstanding regulatory enforcement issue. How are companies responding to that risk in practice?
Zdimal: Companies are currently working to develop more robust processes to screen, contract with, and monitor third-party intermediaries that may be interacting with foreign officials on behalf of a company – particularly in the higher-risk jurisdictions. For example, companies are undertaking aggressive measures to first identify existing (and prospective) intermediaries who may be operating in these types of roles, and following that with measures to evaluate those parties for potential reputational concerns. Some of my clients are also looking to incorporate objective ways to measure and risk-rate classes of intermediaries for purposes of monitoring for compliance. Some of these risk-rating attributes might include, but wouldn’t be limited to, the types of interactions the intermediaries are engaging in, as well as taking into consideration what countries they may be operating in.
With respect to contracting with these intermediaries, companies are now looking to embed specific compliance-related language in the partner contracts, as well as include right-to-audit clauses – which serve as a strong back-end or monitoring technique. Through exercising a right-to-audit clause, companies can obtain access to a business partner’s books and records, analyze transactions for potential compliance concerns and interview relevant personnel – all with a view towards assessing whether that intermediary or partner is putting the company at risk in context of violating the FCPA or other local country anti-bribery statute.
deGrasse: Exercising a right-to-audit clause, however, can be difficult. TPIs often have a great deal of leverage over a U.S.-based company. Third-party intermediaries that operate in relatively isolated areas may be the only game in town, especially where applicable regulations/laws require local firms to submit government bids. The decision to exercise audit rights relative to these TPIs must take into account and balance the benefits of auditing against the possibility of losing vital services from a local intermediary. That is a legitimately tough call and an extremely challenging issue for a company’s compliance and legal personnel.
Reliable identification of TPIs is another challenge. Consistency is difficult because providers differ in their services depending on location, and laymen may well find it difficult to determine whether certain third parties (like landlords) are TPIs in the first place. There is a tendency to under-report the number of TPIs. This under-reporting doesn’t necessarily demonstrate bad intent, but instead may reflect a legitimate challenge for local business people who are called upon to understand the nuances of determining whether a vendor, for example, is a business partner or a TPI. The future of TPI due diligence will include finding better ways to independently identify a vendor as a TPI.
Editor: What common mistakes do companies make when assessing their corruption-related risk profiles?
deGrasse: We discussed a few of the common mistakes earlier in the interview. An additional error is the failure to differentiate the work of auditors versus forensic accountants. Companies often maintain that satisfying external auditors and Sarbanes-Oxley (SOX) requirements demonstrate a lack of ABC-related risk – an argument that reflects a misperception of the nature and scope of audit work, including what is (or is not) in scope. Such mistakes will not hold water with regulators, who very well understand the limits of audits and SOX-related efforts and expect more from an effective ABC compliance program.
Another mistake is to rely on the fact that the company is in a “low-risk industry,” which many believe is a dispositive factor. It’s not. We already discussed the dangers of confusing a well-designed plan with an effective compliance program, i.e., one that is properly implemented and monitored, and we covered the critical need to ensure that training programs are effective – not simply a “check-the-box” exercise – and really serve to drive implementation.
On a personal level, I am always impressed by how lawyers and accountants/controls specialists differ in their vernacular and approach to compliance matters. Lawyers think of identifying risk activities and addressing policies and procedures to reduce risk associated with those activities. Controls specialists focus on the processes in which ABC risk can exist in a company and design a set of controls to remediate that risk. Both views of course are valid but reflect different perspectives based on the training and skills sets of the respective professions. I have sat in meetings where the lawyers and accountants afterwards approached me separately to ask that I translate into their vernacular what the other side had said during the meeting.
Finally, the case law is littered with companies that believed they had an ethical culture, which for most employees was true. These companies didn’t understand that the challenge with any white collar activity is that it takes just one unethical person to damage its reputation, particularly in the FCPA context because there is no materiality standard that creates liability for a company.
Editor: Can you explain more about the materiality standard for FCPA?
deGrasse: Materiality is a fundamental concept governing audit work and defining accounting approaches to financial controls and analysis. The FCPA has no materiality standard, meaning that violations need not be material to the company’s financial statement in order to generate liability. For the sole purpose of making this point, the DoJ has taken cases that involve very small amounts. In my former role as an assistant United States attorney in Chicago, our office certainly would have declined such cases, so the stakes really are higher in today’s environment.
Zdimal: Building on Rocco’s point, the qualitative aspect of an otherwise immaterial financial transaction could be the reason for concern. Apart from assessing quantitative factors, it is the qualitative aspect of a bribe and what that bribe is intended to accomplish that creates the concern from a materiality standpoint. The qualitative aspect of a bribe is generally what puts you in the space of an FCPA violation - not necessarily the quantitative aspect.
Editor: In closing, please summarize the key takeaways of this discussion and talk about KPMG’s role in helping companies with compliance efforts.
deGrasse: The broad point is this: most companies are well aware of their ABC compliance obligations and the price of non-compliance associated with this area of the law. What they are not always prepared for is the granular analysis – for instance of individual countries, provinces, municipalities, industries and myriad business activities – that is required to design an effective program, as well as the sustained effort implementation requires.
Clearly, lawyers play a vital role in helping companies create and maintain effective ABC compliance programs, and KPMG’s forensic advisory experts are uniquely qualified to partner with law firms, adding value to the critical work of designing appropriate policies, procedures and financial controls and then monitoring and measuring the degree of implementation. We work with law firms on a regular basis, each of us focusing on the issues that fall within our particular skills. This way, we bring all the elements required to help companies develop and maintain effective ABC compliance programs.
Rocco deGrasse is a former Assistant U.S. Attorney who travels worldwide to address FCPA-related issues for clients, including in the due diligence, compliance, internal audit and investigative contexts. His prior experience includes service as an Assistant United States Attorney in Chicago and Raleigh, North Carolina; he also was a Partner with the law firms of Winston & Strawn and Foley & Lardner, where his practice focused on complex criminal and civil litigation. Mr. deGrasse represents companies ranging from Fortune 10 to mid-market in FCPA investigations and global FCPA compliance projects. He currently serves as KPMG’s global lead partner for a complex global compliance engagement currently pending before the Department of Justice and Securities and Exchange Commission.
Jonathan Zdimal is a Certified Public Accountant with over 14 years of global forensic accounting and financial statement audit experiences across a variety of industries – including diversified industrials, retail, automotive, energy, software & electronics, life sciences and pharmaceutical. Mr. Zdimal’s primary emphasis is in the area of conducting global investigations into matters involving alleged corruption & bribery and financial reporting-related fraud. Mr. Zdimal provides proactive and reactive investigative advisory services to attorneys, audit committees, corporate management and internal audit functions around the world – including trainings, risk assessments, program assessments and on-call investigative response services.