A reader (a compliance professional at a large publicly traded company with operations around the world) asks:
“One of the things I am struggling with is how to measure the effectiveness of a compliance program. I find it easy to measure activity, but the real value is in the avoidance of penalties and pre/post expenses, negative publicity, customer retention, share value reduction, etc. A good compliance program for a global company is a significant and costly investment and one that is always being reviewed and squeezed as business cycles fluctuate. The catch-22 is that the more effective the compliance program, the less issues that are identified, equaling more questions as to why we need such a significant investment. The programs own success can be its biggest challenge. Thoughts on ideas on effective measurements of a compliance program?”
Set forth below are my thoughts on this difficult issue – difficult because of what legal authority (as well enforcement agency guidance) actually say vs. seemingly conflicting actual FCPA enforcement actions and enforcement agency double-speak.
For starters, even though “effective” is a nice goal, the FCPA does not require issuers to have an “effective” compliance program.
Rather, the statutory standard is that issuers shall “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that” certain financial objectives are met. The FCPA then defines “reasonable assurances” to “mean such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.”
Moreover, the FCPA states:
“where an issuer … holds 50% or less of the voting power with respect to a domestic or foreign firm … [the books and records and internal controls provisions] require only that the issuer proceed in good faith to use its influence, to the extent reasonable under the issuer’s circumstances, to cause such domestic or foreign firm to devise and maintain a system of internal accounting controls consistent [with the statutory standard]. Such circumstances include the relative degree of the issuer’s ownership of the domestic or foreign firm and the laws and practices governing the business operations of the country in which such firm is located. An issuer which demonstrates good faith efforts to use such influence shall be conclusively presumed to have complied with the requirements of [the books and records and internal controls provisions].”
In enacting the FCPA’s internal controls provisions, Congress noted:
“[M]anagement must exercise judgment in determining the steps to be taken, and the cost incurred, in giving assurance that the objectives expressed will be achieved. Here, standards of reasonableness must apply. In this regard, the term ‘accurately’ does not mean exact precision as measured by some abstract principle. Rather it means that an issuer’s records should reflect transactions in conformity with generally accepted accounting principles or other applicable criteria. While management should observe every reasonable prudence in satisfying the objections called for [in the accounting provisions] the committee recognizes that management must necessarily estimate and evaluate the cost/benefit relationships to the steps to be taken in fulfillment of its responsibilities … The size of the business, diversity of operations, degree of centralization of financial and operating management, amount of contact by top management with day-to-day operations, and numerous other circumstances are factors which management must consider in establishing and maintaining an internal accounting controls systems.” (See S. Rep. 95-114 (1977).
When the accounting provisions were amended in 1988 by defining the terms “reasonable assurance” and “reasonable detail” to mean such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs,” legislative history instructs:
“The prudent man qualification [was adopted] in order to clarify that the current standard does not connote an unrealistic degree of exactitude or precision. The concept of reasonableness of necessity contemplates the weighing of a number of relevant factors, including the costs of compliance.”
In addition to above legal authority, SEC v. WorldWide Coin is believed to be the only judicial decision to construe the internal controls provisions. As highlighted in this previous post, the judge stated in pertinent part:
“The internal controls requirement is primarily designed to give statutory content to an aspect of management stewardship responsibility, that of providing shareholders with reasonable assurances that the business is adequately controlled.
Internal accounting control is, generally speaking, only one aspect of a company’s total control system; in order to maintain accountability for the disposition of its assets, a business must attempt to make it difficult for its assets to be misappropriated. The internal accounting controls element of a company’s control system is that which is specifically designed to provide reasonable, cost-effective safeguards against the unauthorized use or disposition of company assets and reasonable assurances that financial records and accounts are sufficiently reliable for purposes of external reporting. […] Internal accounting controls must be distinguished from the accounting system typically found in a company. Accounting systems process transactions and recognize, calculate, classify, post, summarize, and report transactions. Internal controls safeguard assets and assure the reliability of financial records, one of their main jobs being to prevent and detect errors and irregularities that arise in the accounting systems of the company. Internal accounting controls are basic indicators of the reliability of the financial statements and the accounting system and records from which financial statements are prepared.
“Among the factors that determine the internal accounting control environment of a company are its organizational structure, including the competence of personnel, the degree and manner of delegation and responsibility, the quality of internal budgets and financial reports, and the checks and balances that separate incompatible activities. The efficiency of the internal control system of a company cannot be evaluated without considering the company’s organizational structure, the caliber of its employees, the strength of its audit committee, the effectiveness of its internal audit operation, and a host of other factors which, while not part of the internal control system itself, have an impact on the function of the system.
Although not specifically delineated in the Act itself, the following directives can be inferred from the internal controls provisions: (1) Every company should have reliable personnel … and all should be supervised. (2) Account functions should be segregated and procedures designed to prevent errors or irregularities. The major functions of recordkeeping, custodianship, authorization, and operation should be performed by different people to avoid the temptation for abuse of these incompatible functions. (3) Reasonable assurances should be maintained that transactions are executed as authorized. (4) Transactions should be properly recorded in the firm’s accounting records to facilitate control, which would also require standardized procedures for making accounting entries. Exceptional entries should be investigated regularly. (5) Access to assets of the company should be limited to authorized personnel. (6) At reasonable intervals, there should be a comparison of the accounting records with the actual inventory of assets, which would usually involve the physical taking of inventory, the counting of cash, and the reconciliation of accounting records with the actual physical assets. Frequency of these comparisons will usually depend on the cost of the process and upon the materiality of the assets involved.”
Notwithstanding the above, the judge struggled to articulate specific guidance for the accounting provisions and stated:
“The main problem with the internal accounting controls provision of the FCPA is that there are no specific standards by which to evaluate the sufficiency of controls; any evaluation is inevitably a highly subjective process in which knowledgeable individuals can arrive at totally different conclusions. Any ruling by a court with respect to the applicability of both the accounting provisions and the internal accounting control provisions should be strictly limited to the facts of each case.”
Nevertheless, the judge offered the following key language:
“The definition of accounting controls does comprehend reasonable, but not absolute, assurances that the objectives expressed in it will be accomplished by the system. The concept of ‘reasonable assurances’ contained in [the internal controls provisions] recognizes that the costs of internal controls should not exceed the benefits expected to be derived. It does not appear that either the SEC or Congress, which adopted the SEC’s recommendations, intended that the statute should require that each affected issuer install a fail-safe accounting control system at all costs. It appears that Congress was fully cognizant of the cost-effective considerations which confront companies as they consider the institution of accounting controls and of the subjective elements which may lead reasonable individuals to arrive at different conclusions. Congress has demanded only that judgment be exercised in applying the standard of reasonableness. The size of the business, diversity of operations, degree of centralization of financial and operating management, amount of contact by top management with day-to-day operations, and numerous other circumstances are factors which management must consider in establishing and maintaining an internal accounting controls system. […] It is also true that the internal accounting controls provisions contemplate the financial principle of proportionality—what is material to a small company is not necessarily material to a large company.”
In short, the above legal authority does not answer the reader’s questions, but should provide some comfort to any compliance professional at an issuer based on the following salient points:
- there is no legal requirement that an issuer have an “effective” compliance program or that internal controls provide “absolute assurances”;
- rather internal controls should provide “reasonable assurances” that certain objectives are being met and a cost / benefit analysis is relevant to this standard;
- good faith is a relevant standard for issuer’s with minority owned subsidiaries;
In addition to the above legal authority, there are also non-legal sources of authority relevant to the internal controls provisions.
In 1981, the SEC issued additional formal guidance concerning the accounting provisions in the form of a speech by the SEC Chairman that was thereafter adopted by the SEC as a formal statement of policy. (See SEC Release No. 17500 (Jan. 29, 1981). In pertinent part, the SEC stated:
“The Act does not mandate any particular kind of internal controls system. The test is whether a system, taken as a whole, reasonably meets the statute’s specified objectives. ‘Reasonableness,’ a familiar legal concept, depends on an evaluation of all the facts and circumstances.”
“Private sector decisions implementing these statutory objectives are business decisions. And, reasonable business decisions should be afforded deference. This means that the issuer need not always select the best or the most effective control measure. However, the one selected must be reasonable under all the circumstances.”
“The accounting provisions principal objective is to reaching knowing or reckless conduct.”
“Depending on the circumstances, intentional circumventions of a company’s system of records and of accounting controls by a low-level employee would not always be considered violations of the Act by the issuer. No system of adequate records and controls – no matter how effectively devised or conscientiously applied – could be expected to prevent all mistaken and improper transactions and disposition of assets. Given human nature, regardless of the adequacy of the system, a bookkeeper may still erroneously post entries, an overzealous agent may make unauthorized payments, or an unscrupulous employee may falsify records for his own purposes. The Act recognizes each of these limitations. Neither its text and legislative history nor its purposes suggest that occasional, inadvertent errors were the kind of problem that Congress sought to remedy in passing the Act. No rational federal interest in punishing insignificant mistakes has been articulated. And, the Act’s accounting provisions do not require a company or its senior officials to be the guarantors of all conduct of company employees.”
In concluding this portion of the speech, the Chairman stated:
“The test of a company’s internal control system is not whether occasional failings can occur. Those will happen in the most ideally managed company. But, an adequate system of internal controls means that, when such breaches do arise, they will be isolated rather than systemic, and they will be subject to a reasonable likelihood of being uncovered in a timely manner and then remedied promptly. Barring, of course, the participation or complicity of senior company officials in the deed, when discovery and correction expeditiously follow, no failing in the company’s internal accounting system would have existed. To the contrary, routine discovery and correction would evidence its effectiveness.”
The highlighted language is perhaps most relevant to the reader’s question, but do the current FCPA enforcement agencies act consistent with this prior guidance?
As to the SEC’s enforcement policy, the Chairman concluded his remarks:
“The genius – and challenge – of [the accounting provisions] , it should be remembered, is their reliance on private sector decisionmaking – rather than specific federal edicts – to address an area of public concern. The Act’s eventual success or failure will, therefore, depend primarily upon business’s response. The Commission’s obligation, in turn, is to provide a regulatory environment in which the private sector can address these issues meaningfully and creatively. In this regard, we must encourage public companies to develop innovative records and control systems, to modify and improve them as circumstances change, and to correct recordkeeping errors when they occur without a chilling fear of penalty or inference that a violation of the Act is involved.”
In 2012, the DOJ and SEC jointly issued FCPA Guidance setting forth its “FCPA enforcement approach and priorities” and a specific chapter concerned the accounting provisions. Like previous enforcement agency guidance, the FCPA Guidance cited legislative history or the FCPA itself for the following statements:
“The term ‘reasonable detail’ is defined in the statute as the level of detail that would ‘satisfy prudent officials in the conduct of their own affairs.’ Thus, as Congress noted when it adopted this definition, ‘the concept of reasonableness of necessity contemplates the weighing of a number of relevant factors, including the costs of compliance.’”
“Like the ‘reasonable detail’ requirement in the books and records provision, the Act defines ‘reasonable assurances’ as ‘such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.’”
“The Act does not specify a particular set of controls that companies are required to implement. Rather, the internal controls provision gives companies the flexibility to develop and maintain a system of controls that is appropriate to their particular needs and circumstances.”
“Companies may not be able to exercise the same level of control over a minority-owned subsidiary or affiliate as they do over a majority or wholly owned entity. Therefore, if a parent company owns 50% or less of a subsidiary or affiliate, the parent is only required to use good faith efforts to cause the minority-owned subsidiary or affiliate to devise and maintain a system of internal accounting controls consistent with the issuer’s own obligations under the FCPA. In evaluating an issuer’s good faith efforts, all the circumstances—including ‘the relative degree of the issuer’s ownership of the domestic or foreign firm and the laws and practices governing the business operations of the country in which such firm is located’—are taken into account.”
Consistent with the legal authority discussed earlier in this post, the above enforcement agency guidance should provide some comfort to any compliance professional at an issuer based on the following salient points:
- an issuer need not always select the best or the most effective control measure, but the one selected must be reasonable under all the circumstances;
- “no system of adequate records and controls – no matter how effectively devised or conscientiously applied – could be expected to prevent all mistaken and improper transactions and disposition of assets”;
- “Barring […] the participation or complicity of senior company officials in the deed, when discovery and correction expeditiously follow, no failing in the company’s internal accounting system would have existed. To the contrary, routine discovery and correction would evidence its effectiveness.”
Even though “effectiveness” is not a standard set forth in the law, the FCPA Guidance does contain an entire section titled “Hallmarks of Effective Compliance Programs” which begins as follows.
“Individual companies may have different compliance needs depending on their size and the particular risks associated with their businesses, among other factors. When it comes to compliance, there is no one-size-fits-all program. Thus, [the hallmarks are] meant to provide insight into the aspects of compliance programs that DOJ and SEC assess, recognizing that companies may consider a variety of factors when making their own determination of what is appropriate for their specific business needs. Indeed, small- and medium-size enterprises likely will have different compliance programs from large multi-national corporations, a fact DOJ and SEC take into account when evaluating companies’ compliance programs. Compliance programs that employ a “check-the-box” approach may be inefficient and, more importantly, ineffective. Because each compliance program should be tailored to an organization’s specific needs, risks, and challenges, the information provided below should not be considered a substitute for a company’s own assessment of the corporate compliance program most appropriate for that particular business organization. In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately.”
The FCPA Guidance then lists several hallmarks that readers can review for themselves.
Of course none of these “hallmarks” of effective compliance programs are legal standards. The legal standards for the internal controls provisions were set forth above. Sure, we can call the hallmarks “best practices,” but not acting consistent with a “best practice” is not necessary a legal violation. (See here for the prior post).
In 2017 the above “hallmarks of effective compliance programs” were basically just converted from the narrative form in the FCPA Guidance into a question format in the DOJ’s “Evaluation of Corporate Compliance Programs.” (See here for a prior post as well). The non-binding policy document is general in nature and not FCPA specific and begins as follows:
“[T]he Fraud Section does not use any rigid formula to assess the effectiveness of corporate compliance programs. There are, however, common questions that we may ask in making an individualized determination. This document provides some important topics and sample questions that the Fraud Section has frequently found relevant in evaluating a corporate compliance program. The topics and questions below form neither a checklist nor a formula. In any particular case, the topics and questions set forth below may not all be relevant, and others may be more salient given the particular facts at issue.”
The DOJ’s Evaluation of Corporate Compliance Programs asks a lot of questions but fails to provide answers, including as to the reader’s question.
Among the questions asked relevant to the reader’s question are the following:
“How has the company assessed whether these policies and procedures have been effectively implemented?
How has the company measured the effectiveness of the training?
Confidential Reporting and Investigation
Effectiveness of the Reporting Mechanism – How has the company collected, analyzed, and used information from its reporting mechanisms? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information.”
As you can see, the word “effective” is used several times in questions, but no answers are provided.
Relevant to the reader’s question, it should also be noted that the government clearly recognizes that “no compliance program can ever prevent all criminal activity by a corporation’s employees.” (See DOJ Principles of Federal Prosecution of Business Organizations, 9-28.800, Corporate Compliance Programs).
In addition, high-ranking DOJ officials have recognized that “there will always be employees who decide to take matters into their own hands – they are a fact of life,” and that “even the best compliance program may not stop fraud or corruption from occurring.” (See Press Release, U.S. Dep’t of Justice (Jan. 26, 2011); See Press Release, U.S. Dep’t of Justice (May 26, 2010).
Indeed, the former Assistant Chief of the DOJ’s FCPA Unit candidly stated “most government attorneys realize that a company can take every reasonable step to prevent wrongdoing but ultimately is powerless if somebody really wants to break the law.” (See The Metropolitan Corporate Counsel, “Former Chief Of DOJ Fraud Unit Discusses Healthcare And FCPA Enforcement” (Sept. 29, 2012).
Yet when such real conduct fitting these precise scenarios occurs, the enforcement agencies still bring an FCPA enforcement action against the company.
For instance,in the Schering-Plough enforcement action the SEC charged the company with violating the accounting provisions based on payments made to a bona fide Polish charitable foundation because the founder and president of the foundation was also associated with a government health fund that, among other things, provided monies for the purchase of pharmaceutical products. The action was based on the conduct of one individual (a unit manager at a branch office of a foreign subsidiary) and the SEC acknowledged in the enforcement action:
- The individual structured his conduct to evade certain internal controls and otherwise provided false information on documents submitted to the company’s finance department;
- the donations were made to a bona fide charitable organization;
- the aggregate donation amount (approximately $76,000) was not material (during the relevant time period Schering-Plough’s net income was over $2 billion per year).
- the donations were recorded as “donations” on the company’s books and records.
Even though the SEC further acknowledged that “the payments to the Foundation were made without the knowledge or approval of any Schering-Plough employee in the U.S.” the SEC nevertheless charged the company with accounting violations because the donations were “to induce the purchase of Schering-Plough’s pharmaceutical products” and “none of the payments to charity [were] accurately reflected in Schering-Plough’s books and records” and its “system of internal accounting controls [were] inadequate to prevent or detect the improper payments.”
The SEC found that Hewlett-Packard (“HP”) (see here for a prior post), a technology company with over 300,000 employees worldwide, violated the accounting provisions based on the following summary allegation:
“HP Co.’s indirect, wholly-owned subsidiaries in Russia, Mexico and Poland, by and through their employees, agents and intermediaries, made unlawful payments to various foreign government officials to obtain business. These payments were also falsely recorded in the subsidiaries’ books and records and, ultimately, in HP Co.’s books and records.”
As to the company’s internal controls, the SEC’s found:
“HP failed to devise and maintain an adequate system of internal accounting controls sufficient to provide reasonable assurance that: (1) access to assets was permitted only in accordance with management’s authorization; (2) transactions were recorded as necessary to maintain accountability for assets; and (3) transactions were executed in accordance with management’s authorization.”
In announcing the enforcement action, the SEC stated:
“Hewlett-Packard lacked the internal controls to stop a pattern of illegal payments to win business in Mexico and Eastern Europe. The company’s books and records reflected the payments as legitimate commissions and expenses. Companies have a fundamental obligation to ensure that their internal controls are both reasonably designed and appropriately implemented across their entire business operations, and they should take a hard look at the agents conducting business on their behalf.”
Yet elsewhere in the resolution documents of the $108 million parallel DOJ and SEC enforcement action, the government acknowledged the following about HP’s internal control environment at the time of the alleged improper conduct:
- HP had existing FCPA and related policies and procedures in place and all relevant employees received training on the policies;
- HP had existing policies and procedures in place related to commission payments to channel partners, due diligence of channel partners, and other tracking policies regarding channel partners;
- HP had an existing approval process in place that applied to all service-related projects valued at greater than $500,000 anywhere in the world and as part of that process HP managers questioned relevant subsidiary employees at questionable information; and
- HP had an existing SOX certification and sub-certification process in place as relevant to the referenced subsidiaries.
It would seem quite clear that the government would have found violations of the internal controls provisions if:
- HP did not have FCPA policies relevant to all employees;
- HP did not have policies relevant to third party commission payments and due diligence of third parties; or
- HP did not have an approval process or SOX certification and sub-certification process.
However, according to even the government, HP did these things and yet the government still found HP to be in violation of the accounting provisions because, in the words of the government, a “small fraction” of employees at certain foreign subsidiaries engaged in covert means to willfully circumvent HP’s internal controls. Among the covert means used by this “small fraction” of employees was communicating through anonymous e-mail accounts and prepaid mobile telephones and a subsidiary employee and alleged foreign official driving around in vehicles in “remote locations” and typing “messages in a text file, passing the computer between themselves.” According to the government, “communications were made in this fashion to avoid possible audio recording of the discussions by hidden devices, and to circumvent HP’s internal controls.” The HP enforcement action thus seems to represent a “damned if you, damned if you don’t” theory of enforcement and would seemingly result in every issuer violating internal controls provisions when a “small fraction” of employees take drastic measures to willfully circumvent existing internal controls.
A final enforcement action, and recognize there are many more that could also be highlighted,” concerns Nu Skin Enterprises (a small Utah-based company involved in the manufacturing and marketing of cosmetic and nutritional products primarily through direct selling, or multi-level marketing, channels). The SEC specifically noted the following regarding Nu Skin’s internal controls at the time of the alleged improper conduct involving a charitable donation made “to obtain the influence of a high-ranking Chinese Communist party official to impact an on-going provincial agency investigation.”
- Nu Skin identified the FCPA risks inherent in the charitable donation and advised its Chinese subsidiary to consult with outside U.S. legal counsel based in China to ensure that the donation complied with the FCPA; and
- Nu Skin’s outside counsel made recommendations to the Chinese subsidiary, but employees at the subsidiary acted contrary to counsel’s recommendations and otherwise failed to disclose certain relevant information to the company.
Once again, it would seem quite clear that the government would have found violations of the internal controls provisions if Nu Skin did not pro-actively identify the FCPA risks inherent in a charitable donation and did not advise its Chinese subsidiary to consult with U.S. legal counsel in China concerning the donation. However, Nu Skin did these things and yet the SEC still found in the approximate $765,000 enforcement action that:
“Nu Skin violated the books and records provisions because: “in its wholly-owned subsidiary’s expenditure authorization form, the purpose of the payment to the charity was inaccurately and/or unfairly described as a donation rather than an improper payment to obtain the Party Official’s influence”
“Nu Skin violated the internal controls provisions because: it “did not ensure that adequate due diligence was conducted by Nu Skin China with respect to charitable donations to identify links to government or political party officials and to prevent payments intended to improperly influence such persons in violation of the company’s anticorruption policy and the FCPA.”
The Nu Skin enforcement action also seems to represent a “damned if you, damned if you don’t” theory of enforcement and would seemingly result in every issuer being in violation of the internal controls provisions when its instructs a foreign subsidiary to consult legal counsel regarding a specific issue, but the foreign subsidiary acts contrary to legal counsel’s recommendations and otherwise fails to disclose certain relevant information to the parent company.
Returning to the reader’s question, what is the answer?
My best answer is that compliance professionals need to gain comfort with uncertainly and recognize that there are few concrete answers to many compliance issues and also recognize that there may be tension between actual legal authority (and even enforcement agency guidance) and actual FCPA enforcement actions.
It’s a heck of a place to leave a compliance professional, but it is my best answer to the reader’s question.
FCPA Institute - Boston (Oct. 3-4)
A unique two-day learning experience ideal for a diverse group of professionals seeking to elevate their FCPA knowledge and practical skills through active learning. Learn more, spend less. CLE credit is available.