Last week the Justice Department (DOJ) announced a resolution of the long standing Foreign Corrupt Practices Act (FCPA) enforcement action involving Telefonaktiebolaget LM Ericsson (Ericsson), a multinational networking and telecommunications equipment and services company headquartered in Sweden. The matter was stunning in the total amount of fines and penalties assessed, coming in at over $1 billion, consisting of a criminal fine assessed by the DOJ at just over $520 million. Separately, the Securities and Exchange Commission (SEC) assessed profit disgorgement of nearly $540 million. Over the next several blog posts, I will be considering the Ericsson FCPA enforcement action. Today, I consider the internal controls failures.

The documents reference herein consist of the following:

1. DOJ Press Release (Press Release);
2. SEC Complaint against Ericsson (SEC Compliant);
3. DOJ Deferred Prosecution Agreement with Ericsson (DPA);
4. Ericsson Egypt Ltd. Plea Agreement (Ericsson Egypt Plea Agreement);
5. DOJ Superseding Information with Ericsson Egypt (Ericsson Egypt Information); and
6. DOJ Information with Ericsson (Ericsson Information)

Yesterday, I broke down the bribery schemes by country where Ericsson engaged in bribery and corruption. I want to use that same country-by-country format to consider the internal control issues involved.

Djibouti

Here the internal control failure broke down into three key categories. First, there was an internal control failure due to no due diligence on the corrupt consulting company involved. If there had been due diligence, it would have revealed that the consulting company was registered to the spouse of a corrupt foreign official and that same corrupt foreign official acted as the representative of Consulting Company A. When this failure was pointed out, there was management override of an internal control as an Ericsson employee completed a draft due diligence report that failed to disclose the spousal relationship between the owner of Consulting Company A and the corrupt foreign official. The final internal control failure was lack of contract review as there was a sham contract with Consulting Company A for services that were never intended to be performed. Finally, there was internal control override as the same Ericsson employee who forged the due diligence approved an invoice requesting payment of €1,000,000 for 5,000 hours of work that was never performed.

China

In China, there was not the due diligence failures present but rather China business unit employees entered into False Service Agreements with pre-existing approved service providers. This was an internal control failure as there was no requirement for either due diligence for subagents of previously approved service providers. Moreover, as the services contemplated in the False Service Agreements were never intended to be provided this internal control failure was compounded. Next there was an internal control override as fraudulent invoices were approved and those funds generated the pot of money which was used to pay bribes. This internal set of control failures were further compounded by a second internal control failure that came with the False Service Development Agreements. Again, these contracts were used as the basis to sign purchase requests and approve invoices with newly established third-party service provider companies, none of whom had passed due diligence. These False Service Development Agreements entered into were in violation of Ericsson policy.

Vietnam

In Vietnam, there was control override, control failure and control fraud. The first was an internal control failure where good old-fashioned cash was actually delivered to a corrupt consulting company to create a slush fund out of which the consulting company would pay bribes under the direction of Ericsson employees. We are not talking about petty cash to pay parking but millions of dollars. (Didn’t someone ask where the petty cash was going or for receipt?) The control override was that the slush fund accounts were used to make payments to other third parties who Ericsson employees knew would not be able to pass Ericsson’s due diligence control processes. The management control override was that payments to the corrupt consulting company were made pursuant to sham contracts for services that were never performed. Finally, certain Ericsson employees mischaracterized these payments and improperly recorded them in Ericsson’s books and records.

Indonesia

In Indonesia, the internal control failures were basically the same as those in Vietnam but on a much grander scale.  The control failures were that sham contracts for services, which were never performed, were used to create a fund for bribe payments of approximately $45,000,000. There was control override as Ericsson employees involved took active steps to conceal these payments on Ericsson’s books and records. Finally, toward the end of the Indonesia bribery scheme, Ericsson made termination payments to the corrupt consulting company but “improperly recorded these payments in a “Customer Service” account connected with a “Cost of Sales” account.”

Kuwait

In Kuwait the control failures started with a bribe payment, funded by a corrupt agent and paid to a corrupt foreign official. This led to an after-the-fact Consultancy Frame Agreement under which $450,000 was paid to the corrupt consulting company. There was then an internal control failure as local employees approved a fake invoice for services that were never performed in order to paper over the payment.

Saudi Arabia

Here there were internal control failures, ineffective internal controls and management override of internal controls. Management entered into sham consulting agreements. The ineffective internal controls were the authorization of payments to the consultants while knowing or recklessly ignoring red flags which indicated a high probability that at least a portion of these commissions were bribe payments. It also included payments made to the Channel Islands for services allegedly delivered in Saudi Arabia. Finally, the internal controls failures included that due diligence performed on the corrupt Saudi consultants was completed almost one year after the contracts were signed. The due diligence was a sham and was conducted only because it was necessary to begin making payments.

I have listed out all of these internal control failures to emphasize the purpose that each step of due diligence, contracting and payment processes are compliance controls. Ericsson subjected itself to both criminal and civil liability through its actions and this double liability led directly to its $1.06 billion fine.

Join me tomorrow where I look at actions of Ericsson before, during and after the investigation and how those actions cost it millions of dollars in additional penalties.

[View source.]