Internal Audit Review of Charitable Donations Under the FCPA

by Thomas Fox

When is a rose not a rose? When it is a charitable donation not made for philanthropic purposes and it violates the Foreign Corrupt Practices Act (FCPA). I thought about that concept when reviewing the Eli Lilly and Company (Lilly) FCPA enforcement action brought by the Securities and Exchange Commission (SEC) late last month. The Lilly enforcement action discussed a bribery scheme utilized by Lilly in Poland. The scheme and FCPA violations mirrored an earlier FCPA enforcement action, also brought by the SEC as a civil matter, rather than by the Department of Justice (DOJ) as a criminal matter, against another US entity Schering-Plough, for making charitable donations in Poland which violated the FCPA. One of the remarkable things about both of these enforcement actions, brought almost eight years apart, was that they involved improper payments to the same Polish charitable foundation to wrongfully influence the same Polish government official to purchase products from both of these companies.

I.                   The Bribery Schemes

Both companies were involved in negotiations for the sale of products with the Director of the Silesian Health Fund (Health Fund). He had also established a charitable foundation, the Chudow Foundation to engage in restoration of ancient castles in Poland. Both companies made donations to the Chudow Foundation at or near the time decisions were made regarding the purchase of their respective products by the Health Fund. The FCPA books and records violations for the donations stated that they were all mischaracterized on the respective company’s books. The donations were made by each company with the description for the donations as follows:


  Date Amount of Donation Listed Reason for Donation
1 6/21/2000 $2,730 Purchase of computers
2 11/13/2000 $1,855 To support the foundation in its goal to develop activities in [Chudow Castle]. It was also noted that the ‘value of the request’ was indirect support of educational efforts of foundation settled by Silesian [Health Fund]
3 5/22/2001 $8,019 Rental of castle for conferences
4 11/05/2001 $2,438 Rental of castle for conferences
5 3/27/2002 $7,779 Rental of castle for conferences
6 6/14/2002 $7,434 Rental of castle for conferences
7 11/20/2002 $5,112 Rental of castle for conferences
8 1/29/2003 $2,622 Rental of castle for conferences
  Total $37,989  

Although all of these donations were approved by a team within Lilly, the “Medical Grant Committee [MGC]”, who reviewed the request for such donations, the MGC’s approval was “largely based on the justification and description in the submitted paperwork.” While Requests 1 & 2 may have had tangential value to the stated purpose of the Chudow Foundation to restore castles in Poland, even Request 3 was clearly a quid pro quo as an action to obtain business. Just as clearly, ‘rental of castle’ is not a charitable donation but an expenditure, even with that understanding, the SEC Complaint noted that Lilly held no conferences at any castles so it was an outright misrepresentation.


  Date Amount of Donation Listed Reason for Donation
1 2/23/1999 $777 Covering fight against viral hepatitis
2 3/17/2000 $4,909 Support of health campaign within county of Gliwice
3 7/19/2000 $8,065 Financing second stage of health prevention campaign in Gliwice
4 11/8/2000 $8,766 Financing for the Foundation
5 12/20/2000 $9,292 Financing second stage of research
6 3/19/2001 $4,340 Financing lung cancer prevention program
7 3/22/2001 $4,854 Financing screening examinations to detect skin cancer
8 4/25/2001 $4,958 Support of lung cancer prevention program
9 6/4/2001 $5,019 Support of lung cancer prevention program
10 10/29/2001 $4,878 Support of a coronary disease prevention program and promote the image of the company in the medical community
11 12/18/2001 $10,067 Support of an anti-chain smoking health program and promote the company as one that cares about the people of Silesia
12 12/19/2001 $5,067 Financing of Foundation
13 3/25/2002 $4,868 Support actions of Foundation in preventing infectious diseases of the liver
  Total $75,860  

The Schering-Plough SEC Complaint noted that the company Manager involved in the payment scheme, “provided false medical justifications for most of the payments on the documents that he submitted to the company’s finance department.” Additionally, he structured the payments so that they were at or below his approval limit so that he did not have to ask for permission to make the improper payments. The Manager in question viewed the donations as “dues that were required to be paid for assistance from the Director.”

II.                The Red Flags for Charitable Donation

 a.     Schering-Plough

What were the factors which should become red flags for the review of charitable donations under the FCPA? The Schering-Plough SEC Complaint listed several items which it deemed indicia of red flags.

1.      No due diligence. The first is that no due diligence was performed on the charity to identify the Director of the Silesian Health Fund as the founder or his role in the Chudow Foundation.

2.      Donations not related to health care. While the company permitted donations to healthcare related programs there was no follow up to determine the purposes or uses of the donated funds.

3.      Outside normal range of donation. The next red flag was that the donations made to this single charitable foundation approximately 40% of the company’s promotional budget in 2000 and 20% in 2001.

4.      Disproportionate sales. The company’s sales increased disproportionately compared with its own sales of the same products in other areas of Poland. Up to 53% of one product was sold in the region run by the Director of the Silesian Health Fund.

b.  Lilly

The Lilly SEC Complaint listed several items which it deemed indicia of red flags.

1.      No due diligence. Once again there was no due diligence performed on the charity to identify the Director of the Silesian Health Fund as the founder or his role in the Chudow Foundation.

2.      Donations not related to health care. Unlike Schering-Plough, the reasons listed for the charitable donations did not relate to health care. Moreover, they were approved by a Lilly committee specifically tasked with reviewing such requests failed to investigate beyond the submitted paperwork, which was apparently not correct.

3.      Outside normal range of donation. The SEC Complaint quoted an email from a Lilly manager who said that he had decided to commit 70-75% of the [charitable donation] budget and the Director of the Silesian Health Fund was given a “free hand to manage the Lilly investment, emphasizing the fact we only doing this for him…”

4.      Suspicious Timing. The donations were made at or near the time that decisions on the purchase of Lilly products were made by the Director of the Silesian Health Fund. One donation was made two days are the Director of the Silesian Health Fund agreed to make a purchase of Lilly products.

Here Lilly used charitable donations to a charitable foundation which was, as stated in the SEC Complaint, “founded and administered by the head of one of the regional government health authorities at the same time that the subsidiary was seeking the official’s support for placing Lilly drugs on the government reimbursement list.” There were a total of eight payments made to the charitable foundation. In addition to the charitable donations made, Lilly “falsely characterized the proposed payments”. Lilly had a group which reviewed the request for such donations called the “Medical Grant Committee [MGC]” which approved the payments “largely based on the justification and description in the submitted paperwork.”

III.       The Role of Internal Audit

Jon Rydberg, Principal of Orchid Advisors, has categorized the Lilly situation as one of a failure of internal controls. I would add that there was also a failure of internal audit. What does internal audit need to review in the context of charitable donations under the FCPA? Internal audit needs to start with the DOJ FCPA Guidance regarding charitable donations. Internal audit should begin by asking the following five initial questions:

(1)   What is the purpose of the payment?

(2)   Is the payment consistent with the company’s internal guidelines on charitable giving?

(3)   Is the payment at the request of a foreign official?

(4)   Is a foreign official associated with the charity and, if so, can the foreign official make decisions regarding your business in that country?

(5)   Is the payment conditioned upon receiving business or other benefits?

Next internal audit should make inquiries based upon the DOJ Opinion Releases issued regarding charitable donations. Some of the protections a company can do to comply with the FCPA regarding charitable donations are as follows:

1)      Have the donation recipients certified that they or the entity will comply with the requirements of the FCPA;

2)      Has the recipient provided audited financial statements; and

3)      Has the recipient restricted the use of the donated funds to humanitarian or charitable purposes only;

4)      Were the funds transferred to a valid bank account; and

5)      Ongoing auditing and monitoring of the efficacy of the charitable donation program.

Based upon the Schering-Plough and Lilly SEC enforcement actions, there are some additional inquiries that internal audit should make, they are as follows:

a.      What was the timing of the charitable donation or promise to make a donation in relation to the obtaining or retaining of business?

b.      Did the company follow its normal protocol for requesting, reviewing and making a charitable donation or is there a pattern of unusual donations outside the protocol?

c.       Did any one person make multiple donations just below their authority level so that it did not have to go up the line for review?

d.      Was the total amount donated to one charitable foundation out of proportion to the rest of the country or region’s charitable donation budget?

e.       Did the sales in one area, region or country spike after a pattern of charitable donations?

The information on the red flags from the prior Opinion Releases and the best practices, as set out in the FCPA Guidance, have been available for some time. I think that the information found in both the Schering-Plough and Lilly enforcement actions have a different focus for internal audit. In addition to looking at the timing of charitable donations to see if they are at or near the time of the awarding of new or continued business, I think that internal audit may now need to look at overall increases in sales to determine if they are tied to a pattern of charitable donations. I once heard my colleague Henry Mixon explain how the award of a contract may be the product of fraud or corruption. By looking at the timing and quantum of charitable donations, internal audit may be able to ascertain that a spike in sales is tied to corrupt conduct. This may not be something that is on the current radar of auditors when they review charitable donations, but may now be something they need to consider.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thomas Fox, Compliance Evangelist | Attorney Advertising

Written by:

Thomas Fox

Compliance Evangelist on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.