I am just back from our nation’s capital attending the Society of Corporate Compliance and Ethics (SCCE) 2013 annual Compliance and Ethics Institute. If you have a chance to attend next year’s event in Chicago I urge you to do so. The sessions were first rate, topical and had great insights. The networking and sharing of information was also great. While the vendors were there to market their own products and services they were clearly part of the overall solution, so kudos to every company that showed at the event. Hats off to everyone on Team SCCE for doing a great job. Finally, to Roy Snell, Matt Kelly was right; you take the casual, hip look up to the next level, I wish I had your style.

One of the sessions I attended was entitled “Compliance Due Diligence In Multi-National Transactions: Mergers & Acquisitions and Third Parties”, led by Louis Perold, Legal Compliance Manager at Sasol Ltd., and Krista Muszak, Senior Compliance Analyst at Paychex, Inc. In this session, they laid out the steps that you should take when looking at an acquisition from the compliance perspective.

I.                   Review

They suggested a five step process which I thought was well laid out to show you how to plan and execute a strategy to perform pre-acquisition due diligence in the merger context. The process was as follows:

1. Establish a point of contact. Here you need to determine one point of contact that you can liaise with throughout the process. They suggested that typically this would be the target’s Chief Compliance Officer (CCO) if the company is large enough to have full time position.
2. Collect relevant documents. The documents suggested that you begin with are a detailed list of sales going back 3-5 years, broken out by country and, if possible, obtain a further breakdown by product and/or services; all JV contracts and due diligence on JVs and other third party business partners; the travel and entertainment records of the acquisition target company’s top sales personnel in high risk countries; internal audit reports and other relevant documents.
3. Review the compliance and ethics mission and goals. Here they said you should look at the Code of Conduct or other foundational documents that a company might have to gain some insight into what they publicly espouse.
4. Review the seven elements of an effective compliance program, as below:

A. Oversight and operational structure of the compliance program. Here you should assess the role of board, CCO and if there is one, the compliance committee. Regarding the CCO, you need to look at their reporting and access – is it independent within the overall structure of the company? Also, what are the resources dedicated to the compliance program including a review of personnel, the budget and overall resources?

B. Policies/Procedures, Code of Conduct. In this analysis you should identify industry practices and legal standards which may exist for the target company. You need to review how the compliance policies and procedures were developed and determine the review cycles for compliance policies, if any. Lastly, you need to know how everything is distributed and what are the enforcement mechanisms for compliance policies? The speakers pointed out that you should check with HR for terminations or discipline relating to compliance

C. Education, training and communication. Here you need to review the compliance training process as it exists in the company; both the formal and the informal. You should ask such questions as “What are the plans and schedules for compliance training?” Next determine if the training material itself is fit for intended purpose, including both internal and external training for third parties. You should also evaluate the training delivery channels. Is the compliance training delivered live, online, or through video? Finally, assess whether the company has updated their training based on changing of laws.

D. Monitoring and auditing. Under this section you need to review both the internal audit plan and methodology used regarding any compliance audits. A couple of key points are (1) is it consistent over a period of time and (2) what is the audit frequency? You should also try and judge whether the audit is truly independent or if there was manipulation by the business unit.

E. Reporting. What is the company’s system for reporting violations or allegations of violations? Is the reporting system anonymous? From there you need to then turn to who does the investigations and how are they conducted? A key here, as well as something to keep in mind throughout the process, is the adequacy of record keeping by the target.

F. Response to detected violations. This review is to determine management’s response to detected violations. What is the remediation that has occurred and what corrective action has been taken to prevent future, similar violations. Has there been any internal enforcement and discipline of compliance policies if there were violations? Lastly, what are the disclosure procedures to let the relevant regulatory or other authorities know about any violations and the responses thereto?

G. Enforcement Practices/Disciplinary Actions. Under this analysis, you need to see if there was any discipline delivered up to and including termination. If remedial measures were put in place, how were they distributed throughout the company and were they understood by employees?

5. Review the periodic evaluation of the program’s effectiveness. Under this they suggested a review of the target’s internal audit reports or outside investigations if they were performed.

II.        Red Flags

The speakers provided a short list of red flags that, should you determine exist, need to be further investigated and cleared. They listed the following:

• Ineffective compliance program elements
• Company in financial difficulty
• Frequent breach of policies and procedures
• Inactive compliance and ethics committee
• No access to the board
• No regular reports to the board
• CCO not allowed direct access to the Chief Executive Officer (CEO)
• Lack of independence
• Frequent requests to waive policies
• No consistent consequence management for violations

III.             Evaluation

The speakers also provided a ranking system which can be used to think through and evaluate the information that you have obtained. They proposed the following.

• Level 1 – Absent. There is no commitment to compliance illustrated by no dedicated resources, no formal compliance policy and the absence of a compliance program.
• Level 2 – Reactive. There is commitment to address compliance issues when major breaches arise.
• Level 3 – Foundational. While there is commitment to address compliance issues when major breaches arise, there is no formal compliance program but policies and monitoring activities are put in place to prevent the reoccurrence of major breaches.
• Level 4 – Proactive. There is a commitment to have a strong compliance program in place with dedicated resources and a clear assessment of all risk areas. The program encompasses ongoing monitoring and measurement as well as proactive and preventative elements.
• Level 5 – Embedded. The compliance program pervades the organization in every respect: strategically, culturally and operationally. Every staff member is aware of and takes appropriate responsibility for the effective implementation of the compliance program and its ongoing improvement.

I found their program a very useful session on how you should think through performing due diligence on a target in the acquisition context. With the Department Of Justice’s (DOJ’s) emphasis on pre-acquisition due diligence, as set out in last year’s FCPA Guidance, I think more companies will need to strengthen this portion of their compliance program.

And once again, a big thanks to SCCE for a great week at the Compliance and Ethics Institute 2013.