Over the past 15 months the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) has made clear through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations and best practices compliance programs. Every compliance professional should study each of these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about the priorities.
The three FCPA enforcement actions are ABB from December 2022; Albemarle from November 2023 and SAP from January 2024. Taken together they point a clear path for the company which finds itself in an investigation, using extensive remediation to avoid a monitor and insight for the compliance professional into what the DOJ expects in a best practices compliance program on an ongoing basis.
Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today we continue with Number 9, Internal Controls. The DOJ has made clear that any organization which finds itself under FCPA scrutiny must use your internal controls to engage in continuous testing, monitoring and improvement of all aspects of its compliance program.
SAP
As a part of its remediation, the company conducted a gap analysis of internal controls. This remediation found those internal controls “lacking.” SAP also undertook a “comprehensive risk assessment focusing on high-risk areas and controls around payment processes and enhancing its regular compliance risk assessment process.” Using this risk assessment as a starting point, the company went on to perform a gap analysis and determine the overall remediation regime needed and effectuated that remediation.
ABB
The ABB Plea Agreement reported that ABB “performed a root-cause analysis of the conduct at issue. From there the company revamped its internal controls, investing significant additional resources in controls testing and monitoring throughout the organization. While not often seen as a part of internal controls, the company restructured its reporting by internal project teams to ensure compliance controls oversight.
Additionally, ABB essentially created its own monitorship around controls testing its compliance program and reporting to the DOJ. In a section entitled “Written Work Plans, Reviews and Reports”, ABB agreed to conduct a first review and prepare a first report, followed by at least two follow-up reviews and reports. But more than simply reporting on controls testing, ABB agreed to create and submit for review a workplan for this ongoing testing of its compliance program, as the program was detailed in the DPA. The DPA specified, “No later than one (I) year from the date this Agreement is executed, the Company shall submit to the Offices a written report setting forth:
- a complete description of its remediation efforts to date;
- a complete description of the controls testing conducted to evaluate the effectiveness of the compliance program and the results of that testing; and
- its proposals to ensure that its compliance program is reasonably designed, implemented, and enforced so that the program is effective in deterring and detecting violations of the FCPA and other applicable anti-corruption laws.”
The bottom line is that all these companies worked very hard to significantly enhance its controls, there testing and monitoring and then improvement based upon that information. None of the actions by these companies was particularly new or even innovative. Indeed, these strategies have been available from the DOJ since at least the first edition of the FCPA Resource Guide, from 2012. It was however the work by the company to understand the deficiencies in their internal controls’ regime and their superior efforts to upgrade them.
Albemarle
The Albemarle SEC Order was instructive around internal controls for a different reason than we have been considering throughout this series. The Order detailed a series of internal control failures by the Company across multiple business units in several different countries. The entire story painted a picture of a company which certainly did not have effective or easily over-ridden internal controls.
Vietnam. The Order noted, “Albemarle’s system of internal accounting controls was insufficient to prevent or detect these improper payments, which Albemarle Singapore falsely recorded as legitimate commissions in books and records that were consolidated into Albemarle’s financial statements.”
India. An India Agent’s commission was increased multiple times, without compliance oversight or approval via a backdated agreement. Commissions went from “extremely high” and “far from any possible realistic justification.” Finally, “The agreement called for payment of a three percent commission to India Agent, a rate three times higher than that paid to Albemarle’s existing agent for India.”
Indonesia. Albemarle’s system of internal accounting controls was insufficient to prevent or detect the improper payments made to and through Indonesia Agent, which Albemarle Singapore falsely recorded as legitimate commissions and business expenses in books and records that were consolidated into Albemarle’s financial statements.”
China. When an Albemarle business director questioned China Agent’s compensation as “high,” an Albemarle Netherlands business director provide the business justification that he anticipated large returns on the contract.
UAE. No due diligence was conducted on an agent until after the agent agreement had been executed. The Agent provided no discernable services other than conveying confidential tender evaluations and competitors’ bids obtained from the customer.
Each of these resolutions drive home the importance of internal controls, there creation and remediation as a key part of your overall compliance regime remediation during any investigation. The sooner you can start on your internal controls, the better off you will be in your negotiations with the DOJ and SEC.
[View source.]
