OECD Foreign Bribery Report Debunks a Number of Widely Held Beliefs on Bribery

Scott Moritz - Protiviti NY 2013 (hi res)by Scott Moritz
Managing Director – Leader, Protiviti’s Investigations and Fraud Risk Management Practice

Over the past week, since its December 2, 2014 release, anti-corruption nerds everywhere, myself included, have been poring over the recently released Organization for Economic Cooperation and Development (OECD) Foreign Bribery Report – An Analysis of the Crime of Bribery of Foreign Public Officials. For those of you unfamiliar with the report, it is a study of 427 prosecutions of bribery offenses that have been brought in countries that are signatories to the OECD Anti-Bribery Convention, enacted in 1999. The report is a very comprehensive analysis of cases involving bribery of foreign officials, and it debunks some widely held beliefs about bribery and corruption. It also provides valuable insights into the industries in which bribery is most prevalent, categories of bribe recipients and the role of intermediaries, as well as how often corporate management is aware of bribery and how these cases come to light.

Widely Held Belief Number 1: Most Bribes Are Paid in Emerging Markets

The report found that “two-thirds of bribes were paid to officials in countries higher on the UN Human Development Index.” The UN Human Development Index is a composite statistic of life expectancy, education and income indices used to rank countries into four tiers of human development as a means of measuring how developed a country is. While the OECD report pointed out that this number may be somewhat skewed by the fact that more developed countries may be less reticent to share details of their bribery cases, it is a surprising finding nonetheless.

Widely Held Belief Number 2: The Majority of Bribe Payments Are the Acts of Rogue Employees

The report found that 53 percent of cases involved corporate management or CEOs. More specifically, it found that in 41 percent of cases, management-level employees paid or authorized the bribe, and in 12 percent of cases, the CEO was involved. Corporate culture is set by its leadership, and the “tone at the top” is considered one of the ten hallmarks of an effective compliance program. Corporate leadership that tacitly approves bribery with a wink and a nod and gives lip service to compliance but fails to back up compliance personnel and instead overrules them in favor of meeting sales goals or quarterly earnings contributes greatly to this staggering figure.

Widely Held Belief Number 3: Bribery Is Usually the Result of Corrupt Government Regulators or Inspectors

The report examined the unfair business advantages that bribe payers were seeking and found that in 57 percent of cases, bribes were paid to obtain public procurement contracts. The other business advantages sought by bribe payers included customs clearance (12 percent), tax relief (6 percent), other preferential treatment (7 percent), obtaining a license, permit or other form of governmental approval (6 percent) and access to confidential information (4 percent).

The fact that the majority of the 427 cases examined involved bribery to obtain public procurement contracts should cause any company operating outside the U.S. selling to governments and state-owned companies to sit up and take notice. If there is a positive to be gleaned from this statistic, it is that companies involved in bidding on public procurement projects have now been signaled that strengthening controls around public procurement will go a long way toward lowering their exposure to liability under the various anti-bribery statutes to which they may be subject.

Widely Held Belief Number 4: There Is a Staggering Array of Categories of Foreign Official that Could Trigger Corruption Liability

There is, indeed, a wide range of individuals who meet the definition of “foreign official” or “foreign government official.” However, the report shows that 95.1 percent of all bribe value was paid to public officials in only five categories: officials of state-owned enterprises (SOEs) (80.1 percent), heads of state (6.97 percent), government ministers (4.08 percent), defense official (2.93 percent) and customs officials (1.14 percent). Given the volume of bribe value being paid to officials of SOEs, is it any wonder that defense attorneys have been seeking to challenge the terms “foreign official” and “instrumentality of a foreign government”? When considered together with the fact that 57 percent of bribery cases relate to public procurement, this statistic makes board room discussions even more critical within any organization seeking a government contract and engaging with officials of SOEs, heads of state and government ministers in the process.

We’ve had numerous discussions with clients over the years that started with the sentence: “We just had a very uncomfortable conversation with the SEC.” They continue by elaborating that they couldn’t answer basic questions, including “Which of your customers are state-owned, how do you arrive at those conclusions and what is the heightened standard of care that you hold them to?” You either know the answers to these questions or you don’t. Given the statistics we just quoted, companies with international operations would be well served by being able to distinguish readily between the SOEs and government agencies and the private enterprises in their customer base. Companies that can’t answer this basic question and articulate how they go about mitigating the risks associated with interacting with employees of SOEs are not likely to receive a determination of an effective compliance program from anyone who matters.

Other Findings of Note

Numerous Signatory Countries to the OECD Anti-Bribery Convention Have Never Prosecuted a Single Bribery Case

Aside from debunking some widely held beliefs about bribery, the OECD Foreign Bribery Report offered some other very interesting facts, including in what it didn’t explicitly point to. One such noteworthy implication is that there are 41 signatory countries to the OECD Anti-Bribery Convention, yet the 427 prosecution cases brought since its going into force in 1999 come from only 17 countries. Thus, 24 signatory countries to the OECD Anti-Bribery Convention have not prosecuted a single bribery case since signing. Worse still, seven of the 17 who have prosecuted bribery schemes have only prosecuted one scheme each since signing.

The “Hall of Shame” of non-prosecutors includes Argentina, Australia, Austria, Brazil, Chile, Colombia, Czech Republic, Denmark, Estonia, Finland, Greece, Iceland, Ireland, Israel, Latvia, Mexico, New Zealand, Portugal, Russia, Slovakia, Slovenia, South Africa, Spain and Turkey. Nor do Belgium, Bulgaria, Hungary, Luxembourg, Netherlands, Poland and Sweden have much to brag about, as they have each prosecuted only one bribery scheme since signing to the Convention.

Internal Audit and Mergers & Acquisitions (M&A) Activities Triggered Nearly 20 percent of Cases

According to the report, one-third of cases were instigated by self-reporting. Of those, 31 percent were triggered by internal audits and 28 percent by M&A due diligence activity. In total, nearly 20 percent of cases reported to law enforcement were uncovered through this combination of internal audits and M&A due diligence. This fact clearly demonstrates the importance of two of the ten hallmarks of an effective compliance program: Continuous Improvement: Periodic Testing and Review, and Mergers and Acquisitions: Pre-Acquisition Due Diligence and Post-Acquisition Integration.

Internal Audit. In most organizations, internal auditors are generalists. But when considered an extension of the organization’s anti-corruption program – as supported by the report finding – it’s obvious why internal audit should receive advanced anti-corruption training. Specifically, internal auditors should understand key concepts comprising the various anti-corruption statutes to which the organization is subject, the risk factors that can trigger liability, the types of red flags indicative of potential problems, and the investigative steps to follow in the event they suspect a potential violation.

Due Dilligence. According to the Resource Guide to the U.S. Foreign Corrupt Practices Act (FCPA Guide), jointly published by the SEC and the U.S. Department of Justice in 2012, “Inadequate due diligence can allow a course of bribery to continue – with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability. In contrast, companies that conduct effective FCPA due diligence on their acquisition targets are able to evaluate more accurately each target’s value and negotiate for the costs of the bribery to be borne by the target.”

An important and sometimes overlooked aspect of acquisition due diligence is the performance of an anti-corruption risk assessment. In a perfect world, all acquisition targets have robust anti-corruption programs. In actuality, many small and midsize companies operating overseas do not have any type of anti-corruption program. That is why the performance of a high-level anti-corruption risk assessment is so important.

Gaining an understanding of the company’s ownership group, executive team, customer base, distribution channels, sales and marketing, products and services, activities, and ties to foreign officials will better position a potential acquirer to evaluate the true purchase price, inclusive of any compliance remediation work that may be necessary to properly integrate the entity post-acquisition. Not only will doing an anti-corruption risk assessment on the front end lower the risk of a future bribery violation, it could provide the acquiring company with additional leverage in negotiating a more favorable purchase price.

75 Percent of Cases Involved Payments Through Intermediaries

The OECD Foreign Bribery Report validated what most everyone in the anti-corruption field has known for a long time: the majority of bribes (75 percent) are paid by intermediaries. Of these, 41 percent fall into the category the report refers to as “agents.” The term is actually broader than the name suggests and includes sales and marketing agents, distributors and brokers. The next most popular type of intermediary (35 percent) is what the report calls “corporate vehicle.” Corporate vehicle is a term for a mishmash grouping of subsidiary companies, local consulting firms, offshore companies in tax havens and companies established under the beneficial ownership of bribe payers or recipients.

While third-party anti-corruption due diligence has become a cottage industry in the past five years or so, many organizations still employ a fairly minimalist approach to vetting their intermediaries, focusing most if not all of their efforts on commissioned sales agents since they represent the greatest degree of risk. While for most companies placing their initial focus on agents is justified, many other categories of intermediaries also pose potential corruption liability. Companies would be well served by conducting an inventory of their business intermediaries so that they can categorize them based upon the relative bribery risk they may represent. Such categorization should include how long the intermediary has been in existence, whether its primary role is to engage with a specific government agency or state-owned company on behalf of its clients and whether any of its control persons were previously in senior roles within those agencies or SOEs.

Often overlooked in the group of intermediaries are service providers such as attorneys or accountants. And before the GlaxoSmithKline case, who would have thought that there was intermediary risk associated with travel agents? A critical success factor for understanding third-party risk is to identify the universe of business intermediaries and focus attention on what they do rather than what label is used to describe them. Often, entities working in a commissioned sales agent role are referred to as “consultants,” which could cause this category to be overlooked, especially if the third-party management program is sales agent-centric. A more useful approach is to focus on compensation, including whether the intermediary is paid as a percentage of a sale or on a contingency fee or success fee basis.

Conclusions

The OECD Foreign Bribery Report provides the latest evidence that foreign bribery remains pervasive, and enforcement outside of just a handful of OECD signatory countries ranges from infrequent to non-existent. It paints a vivid picture of corruption as global and spanning multiple industries, with bribe payers who are increasingly sophisticated in how and through whom they pay bribes and how they conceal their activity through a web of opaque legal entities in offshore safe havens.

The report should be required reading for anyone in compliance and for any company’s senior leadership. By studying the report and understanding the various ways that companies can trigger liability under the FCPA and other international anti-bribery statutes, companies can develop better anti-bribery controls and raise awareness across their organizations, through their sales and distribution channels and into their customer bases. By applying the lessons learned from the report and through their own experiences and tailoring their programs accordingly, companies will become less attractive to bribe takers, and unscrupulous third parties and employees may think twice before paying bribes if they think they are at risk of detection and prosecution.

A Global Look at IT Audit Best Practices from ISACA and Protiviti

Brand.jpgby David Brand
Managing Director – Leader, IT Audit Practice

 

 

There is no disputing technology’s role in business today as an enabler of virtually every process and function. With this enablement and the advantages IT brings also come global risks – security, cyberattacks, privacy issues, data breaches, governance, asset management and much more. The critical question we ask is: Are IT audit practices keeping pace in order to assess, monitor and mitigate critical risks coupled to a technology-enabled business? This is what ISACA and Protiviti set out to determine in conducting the fourth annual IT Audit Benchmarking Survey.

Our 5 key findings from this year’s study:

  1. Cybersecurity and privacy are primary concerns – This area is rated as the top technology challenge and also may be driving trends such as increasing involvement from audit committees in IT auditing activities.
  1. Companies face significant IT audit staffing and resource challenges – Not only is this issue ranked among the top technology challenges, but it is an undercurrent in many of the survey findings, including the use of external resources to support IT auditing efforts.
  1. Audit committees, as well as organizations in general, are becoming more engaged in IT audit – More organizations have a designated IT audit leader, and over the past three years, the percentage of IT audit leaders that regularly attend audit committee meetings has doubled.
  1. IT audit risk assessments are not being conducted, or updated, frequently enough – Given the dynamic nature of technology change and risk, it is surprising to find that some companies still do not conduct IT audit risk assessments. Not only must IT audit risk assessments be performed, but they also should be reviewed and, if necessary, updated on a quarterly basis or more frequently. However, a majority of companies are conducting these reviews annually or even less frequently.
  1. There’s room for growth in IT audit reports and reporting structures – A majority of companies do not issue enough IT audit reports, and many still have the IT audit leader in a less-than-ideal reporting structure.

IT Audit Benchmarking Survey Infographic

Check out our infographic here. To view and download our report with detailed results from our study, visit www.protiviti.com/ITAuditSurvey.

 

You Can’t Protect Intellectual Property and Sensitive Data Unless You Know What You are Trying to Protect

Scott Moritz - Protiviti NY 2013 (hi res)

by
Scott Moritz
Managing Director – Leader, Protiviti’s Investigations and Fraud Risk Management Practice

and

Rocco Grillo - Protiviti NY 2014 (hi res) (2)

Rocco Grillo
Managing Director – Leader, Protiviti’s Incident Response and Forensics Practice

 


In recognition of the Association of Certified Fraud Examiners and International Fraud Awareness Week, Protiviti, whose practitioners include over 100 members of the ACFE, is releasing a series of tips on fraud awareness to assist the ACFE in communicating the many ways that fraud can affect your organization. We also suggest proactive steps you can take to better position you and your organization in the ongoing fight against fraud.

________________________________________

Cyber-crime targeting of commercial enterprises and organizations is rampant. Increasingly sophisticated organized crime groups are gaining improper access to point-of-sale systems and corporate networks to steal credit card numbers, expiration dates, account holder names and CVV codes, intellectual property, as well as other sensitive data.

In addition, certain countries have historically utilized their intelligence agencies to use intelligence-gathering techniques to steal information such as computer source code, product formulas, and design information about new products or processes. These types of state-sponsored economic espionage often target technology-centric industries, including computer software and hardware, biotech, aerospace and defense, telecommunications, transportation and engine technology, automobiles, machine tools, energy, materials and coatings, and so on.

The high-tech sector is widely considered to be the most frequently targeted area for economic espionage, although any industry with information of possible use to foreign governments and their commercial sectors is at risk. Increasingly, these government intelligence agencies are using hacking techniques to gain access to commercial secrets.

Whether it is organized crime that is seeking to gain access to your network or a foreign government seeking to obtain the product formulation of the next wonder drug, companies’ most valuable information is stored electronically on their networks and individual computer workstations. While companies expend tremendous sums of money and resources securing their networks and testing their security, sometimes the issue is not knowing the universe of sensitive data that they possess, where and how it is stored, and who has access to it.

Knowing where your data resides is, in many instances, half the battle. Trying to identify an organization’s “crown jewels,” or key assets, is equally important. Boards of many major corporations are scrambling to implement security controls to processes in order to safeguard their organizations, but many also need to focus on risk management to identify their crown jewels when implementing these controls and safeguards.

Often, information about what valuable data the company has, where it is stored and who may have access to it is determined only after there has been a breach. As network security experts trace the activities of the hackers to see what systems and applications were accessed illicitly, they learn what information was stored and whether it was exfiltrated from those devices. Indeed, one of the most challenging issues for internal auditors as well as IT security professionals is, when assessing their company’s information security, not only understanding the systems and the security controls designed to monitor, detect and prevent data breaches, but also taking an inventory of the various categories of sensitive data stored electronically across the organization, identify where specifically it is located, and who has access to it.

Without this critically important information, internal auditors and others charged with the responsibility of assessing the effectiveness of network security and the extent to which the company’s most sensitive data may be exposed are severely restricted.

Some sensitive data is of obvious interest to hackers, and it is fairly straightforward to assess how it is collected, where it is stored and how it can be accessed. Knowing who and when data was accessed is equally, if not more, important. Being able to pinpoint who has accessed data is critical to any organization trying to protect its data. Logging and monitoring controls enable organizations to accomplish this.

During a forensics investigation, trying to find the source of a breach is like trying to find a needle in a haystack. And without logging and monitoring controls or limited controls, that needle in the haystack becomes a needle in an open field. Sensitive data includes customer information, credit card numbers, personnel records, and payroll and banking information, among other assets deemed to be the organization’s crown jewels. The challenge is in determining what other types of sensitive data may exist and where. Such sensitive information includes corporate development (M&A) information, prototypes, source code, customer lists, proprietary pricing information, legal files, human resources data, and other data that, were it to be released, would be commercially damaging to the company.

What steps should companies take to better understand where their valuable data is?

  • Before companies understand where it is, they need to understand what it is or what their crown jewels are.
  • Survey key business units and obtain a list of their most sensitive data and IP by category.
  • Determine what added security may be in place to protect that data.
  • Request information about where the data is stored, how it is secured and how access is controlled.
  • Integrate what is learned by this data gathering exercise into future IT security audits.

Beware of the Fake Presidents

Scott Moritz - Protiviti NY 2013 (hi res)

by Scott Moritz
Managing Director – Leader, Protiviti’s Investigations and Fraud Risk Management Practice

 

In recognition of the Association of Certified Fraud Examiners and International Fraud Awareness Week, Protiviti, whose practitioners include over 100 members of the ACFE, is releasing a series of tips on fraud awareness to assist the ACFE in communicating the many ways that fraud can affect your organization. We also suggest proactive steps you can take to better position you and your organization in the ongoing fight against fraud.

________________________________________

We have become aware of an ongoing fraud scheme that initially was targeting Western European companies but appears to have emerged in the United States. The scheme involves social engineering and email spoofing, wherein the fraudster assumes the identity of a senior company executive and targets an employee from that same company, often someone in accounting or accounts payable.

The victim employee initially receives an email from the “fake president” concerning a highly confidential transaction, sometimes related to an acquisition. The communications often stress both urgency and the need for confidentiality. Recipients of these emails may also be directed that subsequent communications be directed to the “president’s” personal email, that of the president’s attorney, or both. They subsequently receive instructions by telephone and/or email containing bank routing, account number and account holder information to which the fake president needs a wire transfer to be sent.

The schemes about which we are aware have each involved accounts in Hong Kong, but this scheme could involve accounts in any foreign jurisdiction. In some instances, these schemes involve a single fraudulent wire transfer, but in other instances they may keep it going until and unless the company realizes it has been defrauded.

These schemes are often effective as a result of the research that the fraudsters have done in advance to identify the company executives and operations, as well as to identify an employee to target. It is believed that the initial target pool centered on EU-based companies because there is detailed information available in the public domain that makes the identification of executives and lower-level accounting or finance employees relatively easy compared to companies that are based elsewhere.

That said, these schemes have characteristics in common with other known and highly successful fraud schemes being perpetrated by criminal organizations. These characteristics include use of spoofed emails, blocked or anonymous phone numbers, offshore bank accounts in less cooperative jurisdictions, and the targeting of wire transfers.

The use of flattery, urgency and confidentiality is also characteristic of such fraud schemes undertaken by organized groups. The fraudster may make statements to lead the targeted employee to believe that the fake president has carefully selected him or her as being worthy of the president’s trust, leading the victim to believe that he or she has the trust of a high-level executive. The resulting excitement may cause the victim employee to ignore any obvious red flags out of misplaced hope that if he or she successfully executes the instructions, it will result in a career boost.

Instilling a sense of urgency is another proven technique in fraud schemes (along with the sale of used cars and health club memberships). Applying time pressure, coupled with the fear of upsetting a very senior executive in connection with what has been described as a highly confidential matter, can cause people to disregard red flags had they taken the time to think about what is happening before it is too late.

What steps can be taken to reduce your organization’s susceptibility to fake president fraud?

  • Require telephonic and email confirmation to phone numbers and email addresses from the company directory – do not rely on the requestor’s email instructions.
  • Educate your employees about the prevalence of the various social engineering and email spoofing techniques being employed by fraudsters and the red flags to monitor, including non-standard transactions, urgency, confidentiality, offshore accounts and use of wire transfers, and use of personal emails.
  • Review fraud controls around wire transfer requests, ensure that those controls are being followed, and ensure that all approvers are aware of the prevalence of schemes targeting companies around fraudulent wire transfers.
  • Discuss fraud controls with your financial institutions to see if any enhancements can be made on their end to assist in protecting your organization against wire transfer fraud.

Cybersecurity in Retail: Hope for the Best but Plan for the Worst

Rocco Grillo - Protiviti NY 2014 (hi res) (2)

by Rocco Grillo
Managing Director – Leader, Protiviti’s Incident Response and Forensics Practice

 

The recent uptick in retail data breaches is significant for all companies in a couple of important ways. First, it is important to point out that some of these highly publicized breaches have occurred at companies that were “PCI compliant.” Second, just when it appeared that the breaches had become as widespread as one could imagine, the continued line of additional companies falling victim has gotten larger, with no end in sight.

Furthermore, law enforcement investigators have indicated that there are many other organizations that have been compromised – the only difference is that they don’t know it yet.

It’s becoming painfully apparent that there is no such thing as penetration-proof data security. It’s no longer even enough to assume that you CAN be breached. We advise companies to conduct exercises that simulate that they have been compromised, and to focus, going forward, on how to address vulnerabilities and minimize the damage through rapid detection and response – both in containing the breach and in communicating with customers, employees, shareholders and the media.

Further to identifying potential areas of compromise, organizations need to transition from being reactive with their incident response plan and create a “proactive response” to potential compromises. This should include enhancing response plans, testing them through simulated tabletop exercises, conducting simulated forensics investigations to determine “the unknown,” and ultimately having partners aligned in advance of a potential attack or compromise.

That’s not to say that vulnerability and penetration testing aren’t important. It’s critical for organizations to understand where they are vulnerable and establish strong security processes and measures to ensure data remains safe.

But as we explain in our Point-of-View paper, High-Value Targets – Retailers Under Fire, security is a lot more than having a strong firewall. It must be applied to all layers in the organization, not just the “outer shell.” The right security best practices can identify and disrupt a cyberattack at the perimeter and also prevent a data breach, even if the attacker gets past the first layer of defense.

It’s frightening to consider how many companies are still relying only on fixed-point-in-time data security methods, such as penetration testing. As we found in our just-released 2014 IT Security and Privacy Survey, many companies don’t even have a written incident response plan. Among those that do, many have plans that are out-of-date or not mature, and too few rehearse and drill it to perfection through table-top exercises or simulated forensics investigations to help address the all-too-common questions coming from the board: Are we prepared to respond to an attack? Are we secure?

This is akin to a football coach who devises a trick play and tells his players all about it, but neglects to have them run the play at practice. Imagine the chaos that would ensue if they decided to run that play in a big game. Needless to say, the fan base would not like what they see!

Practice makes perfect.

Going forward, we need to assume that breaches are inevitable. I’d go so far as to suggest you assume that your organization has already been breached. That assumption puts you in immediate response mode and adds urgency to subsequent efforts to address the issue. Believe it or not, many organizations don’t figure out that they’ve been hacked until weeks, or months, after the intrusion.

Given the ubiquity of data breaches, organizations are going to be judged not by their ability to prevent an attack, but by the speed and efficacy of their response.

You have your board’s attention and directors want to know: Are you ready to respond? Are we secure? Are you sure? How do you know? If any of these questions give you pause, it’s time to up your game. Now more than ever, the bad guys are more sophisticated in attack techniques and with the holidays ahead, we’re entering the busy season for data theft. It may give “Black Friday” a new meaning in the retail industry.

Beware of the Slippery Slope – When Gifts, Entertainment, Favors and Philanthropy Become Problematic

Scott Moritz - Protiviti NY 2013 (hi res)

by Scott Moritz
Managing Director – Leader, Protiviti’s Investigations and Fraud Risk Management Practice

 

In recognition of the Association of Certified Fraud Examiners and International Fraud Awareness Week, Protiviti, whose practitioners include over 100 members of the ACFE, is releasing a series of tips on fraud awareness to assist the ACFE in communicating the many ways that fraud can affect your organization. We also suggest proactive steps you can take to better position you and your organization in the ongoing fight against fraud.

________________________________________

Having just completed my holiday gift list – a list that is free from foreign officials, I should point out – I thought it would be useful to discuss the various ways in which gifts, entertainment, favors and charitable giving can lead to some pretty negative outcomes.

The key is knowing the individuals to whom we are providing these items of value: Are any of them in positions of influence to award business to your organization? Are they government officials or employees of state-owned companies? Are these individuals connected in any way with charities to which we are donating?

Generally speaking, it is acceptable to give gifts to customers and prospects, entertain them, extend certain professional courtesies to them, and consider support for their favorite causes. What’s key, though, is ensuring these important social norms are not distorted into thinly disguised bribes given in an effort to obtain some type of unfair business advantage.

Several things are critically important to work out in advance to ensure that items of value and charitable donations pass the reasonableness test. First and foremost, your organization’s policies and procedures need to provide clear guidance, limits and preapproval requirements surrounding gift-giving, entertainment, defining other things of value (a category into which favors would fit), and charitable donations. Those policies and procedures should not only provide guidance and examples of appropriate and inappropriate gifts, entertainment, other items of value, and charitable donations, but they also should require that certain categories of recipient be subject to heightened approvals and, in some instances, prior approval before the value is exchanged.

For example, clients before whom there is a pending proposal in response to a formal RFP, as well as any client or contact that is a government official or employee of a state-owned company, may warrant a pre-approval such that a second set of eyes can evaluate the compliance risk objectively and any appearance of impropriety with regard to the proposed gift or other item of value. Those pre-approvals should not only take place, but both the request and the approval (or rejection) should be formally documented.

Even if the decision-making and associated documentation are found to be incorrect by a regulatory body or law enforcement agency, it would be difficult for the agency to assert that the company didn’t have controls and place and that the transaction was not transparent.

Another critical success factor in limiting compliance risk in this area is whether the company has a formal mechanism to determine whether recipients of gifts or any items of value are governments, government-owned and/or legitimate charities free from conflicts. Equally important is to have complete transparency with regard to the identity of each gift recipient. This last point may seem obvious, but often in marketing promotions or holiday gift giving, blocks of gifts, gift cards, tickets to sporting events or other items are given to distributors, sales agents or other intermediaries, and the company risks losing sight of who the ultimate recipients are.

Amazingly, charitable giving and political donations have also been abused and distorted to disguise bribes or kickbacks to government officials as legitimate philanthropy or efforts to be a good corporate citizen by supporting local charities. Like the other areas described above, it is important to understand how the charitable donation or political contribution was first solicited and by whom. It is equally important to be able to demonstrate a good understanding of the purpose of these donation or contributions, the charities and political organizations themselves, along with some degree of negative assurance that these organizations are free from conflicts of interest. It is a sound business practice to have a policy that governs such giving to include a requirement that all financial support require written pre-approval.

The bottom line here is that generosity, relationship management, and political and social consciousness require more than just financial support. They require strong policies and procedures, along with a keen awareness of the potential risks and controls to provide reasonable assurance that all of the company’s activities in these categories are reasonable and are well aligned with your policies, procedures, and local laws and regulations.