|In February 2017, the U.S. Department of Justice (DOJ) Fraud Section published its latest guidance on corporate compliance programs with the release of the very useful document titled “Evaluation of Corporate Compliance Programs.”
While many legal and compliance scholars have rightly stated that this latest publication isn’t anything radically different than prior authoritative guidance issued by the DOJ and other organizations, what jumps out is the reframing of the well-worn expression, “tone at the top,” with the potentially more insightful, and arguably much scarier, “conduct at the top.” In a just-released Flash Report, we put forth questions and insights that illustrate the degree to which the DOJ is examining senior management and the board of directors while evaluating a corporate compliance program.
I’ve written before about how the Department of Justice (DoJ) is stepping up efforts to root out and prosecute corporate fraud, particularly bribery and corruption, under the Foreign Corrupt Practices Act (FCPA). One of the biggest complaints I’ve heard from clients and their counsel is that there are varying degrees of credit and reduced fines and disgorgements granted for companies that self-report and that some have found it difficult to calculate the potential benefits of self-reporting.
The DoJ recognizes this perceived disparity and in April launched a pilot program to encourage corporate compliance through an incentive program offering up to 50 percent off of fines and minimum sentencing guidelines for companies that self-report FCPA violations, cooperate with investigators and take measures to prevent future fraud.
In May, Protiviti held its first FCPA and Anti-Kleptocracy Conference, bringing corporate executives and compliance officers together with government corruption investigators in a neutral environment to share ideas and build constructive alliances. It was a lively exchange. I came away with a lot to think about, and I’ll be sharing some of it here on The Protiviti View, beginning with this post on compliance considerations.
Last year, the Department of Justice signaled an increased focus on corporate crime and international corruption with the creation, in March, of three dedicated FCPA squads, and a subsequent memo from Deputy Attorney General Sally Quillian Yates to DoJ attorneys on the importance of holding individuals accountable in corporate prosecutions.
At the same time, to encourage corporate cooperation and transparency, the DoJ began touting incentives, such as reduced penalties, for executives and corporations that demonstrate good faith in the investigation and a proactive stance toward prevention going forward. The recently announced pilot program is a good example of that. With so much to gain from cooperation and so much to lose, compliance has never been more important.
One of the speakers at the FCPA conference was Laura Perkins, an assistant chief in the DoJ’s FCPA unit, where she supervises and prosecutes FCPA cases against individuals and companies. According to Perkins, one of the first things the DoJ looks at, upon responding to an incident, is the quality of a company’s compliance program and controls. They initiate discussions with the company and quickly begin to form opinions about how transparent and cooperative the organization is going to be in the investigation.
The DoJ will ask about compliance programs prior to the incident, efforts to find root causes, discipline of responsible parties and actions taken post-incident to prevent future corruption.
Perkins mentioned that one of the more significant changes within the DoJ is its retention of a compliance counsel – someone who attends compliance meetings at target companies to get an inside picture, as well as helps some of the trial attorneys who don’t have as much exposure to compliance and controls and what they should look like.
When it comes to discipline, the DoJ isn’t as concerned with outright dismissal as it is with ensuring that the punishment fits the crime. With minor infractions, training is often sufficient. The important thing here, from a compliance perspective, is being able to document and demonstrate the controls and practices in place to ensure FCPA compliance, the mechanisms in place to detect violations, and the rigor and sincerity of corrective efforts to prevent future violations.
From my perspective here at Protiviti, I would add that the best compliance programs are those based on real-world examples. There is much that can be learned from the mistakes of others and from the open exchange of ideas – which was one of the primary motivations for our FCPA conference.
Finally, I would note that a strong anti-corruption culture discourages corrupt parties from targeting your organization in the first place. Here’s what such a culture looks like, according to the DoJ:
- Sufficient compliance-dedicated resources;
- Competent compliance personnel who are sufficiently compensated and promoted;
- Compliance function independence and reporting structure;
- Compliance program crafted from an effective risk assessment; and
- Compliance program audited regularly to assess its effectiveness.
In future posts, I’ll examine the DoJ’s pilot program in greater detail, discuss ways to avoid FCPA successor liability through acquisitions and contracts with third parties, and address some other topics discussed during our FCPA and Anti-Kleptocracy Conference.
Scott Moritz, Managing Director
Leader, Protiviti’s Fraud Risk Management Practice
On September 9, 2015, U.S. Department of Justice Deputy Attorney General Sally Quillian Yates distributed a memorandum across the Department of Justice, entitled “Individual Accountability for Corporate Wrongdoing,” that has far-reaching implications for government and private-sector investigations of corporate misconduct.
While the memorandum does not have the force of law, it nonetheless provides specific direction to every federal prosecutor to hold individuals accountable for corporate crimes and to make as a condition of an individual company’s cooperation the extent to which they “give up” the individuals responsible for the corporate crimes.
Holding individuals accountable for corporate crimes is a very effective way to change behaviors. While the U.S. Sarbanes-Oxley Act (SOX) has significantly changed the business landscape for U.S. publicly traded companies, perhaps its biggest effect was that by holding the CEO and CFO accountable for the accuracy of the quarterly and annual reports they sign, there have been a number of enduring changes in how these leaders behave.
First and foremost, before SOX, many internal investigations at public companies, large and small, never saw the light of day. “Big picture” issues often overrode what was right. With the CEO and CFO now held accountable, the default setting has shifted to performing internal investigations and then disclosing the results, to the extent that the findings suggest the need to do so. This is a direct result of the accountability component of SOX Section 302 and the upgrade that has occurred across audit committees in terms of financial aptitude since the inception of SOX.
The same sea change could result from the Yates memorandum, which sets out six steps that government attorneys should take to ensure individuals believed responsible for corporate crime are held accountable.
- Before being eligible for any cooperation credit, corporations must disclose all relevant facts about the individuals involved in corporate misconduct.
This step, perhaps more so than any other, could have the greatest long-term impact. Knowing this requirement, government investigations and internal investigations alike will have to be structured in such a way as to enable the ability to identify individual conduct. It also creates a financial incentive for companies to disclose the responsible parties within their organizations in order for them to be eligible for cooperation credit. This will, in all probability, cause individuals to “break ranks” earlier in the process and seek their own outside counsel, rather than wait for the company to deliver them on a silver platter to the government in an effort to obtain cooperation credit. It could also result in many more individuals seeking whistleblower status rather than trusting that their employers or former employers will be unbiased in their investigations.
- Both criminal and civil corporate investigations by DOJ attorneys should focus on individuals from the inception of the investigation.
This is really more of a reminder than it is anything radically new. By their nature, investigators must focus on the actions of individuals. What is important here is that the DOJ attorneys and investigators make it clear to companies once they know of the existence of the investigation that any internal investigation must provide meaningful information about the responsible individuals.
- Criminal and civil attorneys handling corporate investigations should be in routine communication with one another.
Coordination between the SEC and DOJ has improved quite significantly since 2008. That being said, civil and criminal investigations are fundamentally different and, historically, holding individuals accountable has fallen to the criminal investigators. What the Yates memorandum points out, though, is that sometimes civil investigations provide substantive information about criminal wrongdoing, and by being in routine communication with one another that information is less likely to fall through the cracks.
- Absent extraordinary circumstances, no corporate resolution will provide protection for any individuals from criminal or civil liability.
This step could also have long-term implications on the scope of investigations and the extent to which individuals will be held accountable for corporate crimes. By making it clear to government attorneys that corporate resolutions should not routinely provide individuals protections from criminal or civil liability, it puts the burden on individual government attorneys to make the internal argument that their proposed settlement agreement meets the criteria of “extraordinary circumstances,” increasing the likelihood that more individuals will be held accountable since the majority of such agreements will not inhibit the government’s ability to hold individuals accountable.
- Corporate cases should not be resolved without a clear plan to resolve individual cases before the statute of limitations expires, and declinations as to individuals in such cases must be memorialized.
This step is in recognition of the fact that individual cases often continue after the corporate cases have been settled. It will help ensure that appropriate forethought is given with regard to individuals who could be held accountable if not for mismanagement of the statute of limitations.
- Civil attorneys should consistently focus on individuals as well as the company and evaluate whether to bring suit against an individual based on considerations beyond that individual’s ability to pay.
This step, again, is a reminder of the different lenses through which civil enforcement attorneys and criminal prosecutors view their cases, as well as the importance of considering the totality of the facts regarding each individual in determining the appropriate means by which he/she is held accountable.
While each of these steps detailed in the Yates memo sends a clear message to the DOJ attorneys responsible for criminal and civil enforcement, in-house and outside counsel, chief compliance officers and senior executives should also take notice. As it has on a number of occasions since the Federal Sentencing Guidelines went into effect, the government is again putting corporations on notice that people, not companies, commit crimes.
Corporations are expected to focus their internal investigations in such a way as to identify the people responsible, not just scape goats, and that their ability to receive cooperation credit depends on it. As Ms. Yates stated in her public remarks about the memo: “We’re not going to be accepting a company’s cooperation when they just offer up the Vice President in Charge of going to jail.”
Difficult though it may be for companies to be completely transparent in their identification of the people responsible, no matter how senior and important to the company’s future they may be, management will be forced to make decisions for the good of the company that will very likely result in some of their former colleagues going to prison.
Our webinar series on internal investigations is generating lots of good questions from participants. The series kicked off in November 2014 with Internal Investigations for Non-Investigators, which offered a broad overview of the topic. The second webinar, Misplaced Trust: Investigating Vendor Fraud, was held in March 2015.
The series is co-presented by Scott Moritz, global lead of Protiviti’s Investigations & Fraud Risk Management practice, and Peter Grupe, a director in that group. Scott has 28 years of investigative experience, including nearly 10 years as an FBI special agent. Peter, a former assistant special agent in charge of the FBI’s white collar crime program in New York, has over 25 years of experience investigating financial crime.
In this blog entry, Scott answers some great caller questions that came up in the Vendor Fraud session.
Q: What is a best practice to validate new vendors?
A: Historically, companies collected information from vendors in order to set up payments. This basic data falls far short of what is required to make informed risk-based decisions — for regulatory compliance and fraud risk management, among other things.
Today, companies need to be able to readily segregate upstream suppliers from those empowered to act on the organization’s behalf (often referred to as “intermediaries”). If a company acts on your behalf, Protiviti recommends collecting richer data — including the names of executives, owners, and whether the company is public, private, or government-owned; how long the company has been in existence, revenue (if disclosed), and whether the client is the vendor’s largest customer.
Q: If you are performing a typical vendor audit (i.e., no initial suspicion of fraudulent activity), what are the best techniques to identify fraud, such as vendor kickbacks?
A: Just because you don’t suspect vendor fraud, doesn’t mean it’s not going on. Vendor fraud is the most common type of fraud and accounts for 18 percent of fraud losses — particularly at large organizations.
Top of mind:
- Compare vendor master data with personnel data. Look for addresses in common. (Be mindful of privacy restrictions in certain jurisdictions such as the EU).
- Vendors of almost any size will leave some sort of footprint in the public domain – social media presence, etc. You would expect any commercial entity to have some record of its existence in the public domain. Entities that exhibit little to no footprint warrant closer scrutiny.
- It is also prudent to search global watch lists, such as by the Office of Foreign Assets Control (OFAC), which tracks international trade violators and sanctions; the U.S. General Services Administration’s (GSA) System for Award Management (SAM) list, which includes a list of companies that have either failed to perform or have committed fraud against the U.S. government and have been debarred; and the U.S. Department of Commerce Bureau of Industry and Security list, which includes companies that have violated U.S. boycott laws.
- Look for red flags. Kickbacks are a type of fraud that may raise very specific red flags. Compare contracts for a vendor suspected of paying kickbacks to those of comparable vendors – is unit pricing or aggregate spend out of line? Did your investigation reveal that one or more employees are unusually close to someone at the suspect vendor?
Q: Can you give some examples of the types of background checks you perform on new or existing vendors?
A: First, let me distinguish between a background check and the watchlist matching process (sometimes referred to as “screening”) we were discussing earlier. Screening deals primarily with vendor-supplied information and comparing it to one or more lists of debarred parties. Background investigations use publicly available information, beyond the watch lists I’ve mentioned, to bring to light past bad behavior by vendors that may cast doubt on their character and the veracity of self-reported data. Public information includes things such as regulatory actions, pending or prior criminal actions, lawsuits, bankruptcies, liens, judgments, affiliated companies, companies with common ownership, etc.
If the public record shows that somebody has done something improper or illegal in the past, there’s a good chance they’re going to do something similar in the future. Not a lot of people (or companies) wake up one day and decide to embark on a life of white collar crime. Most people involved in fraud or corruption have been involved in similar crimes for many years and very few of them find redemption.
Q: In doing a standard, cyclical vendor audit, what are some things we should look for to identify vendor-related fraud? Presumably, the vendor itself in all these cases is legitimate as we are doing business with them.
A: The GSA produces a blacklist of companies that have either consistently failed to perform their obligations under government contracts, or have defrauded the government. If a vendor has no qualms about defrauding the federal government and facing those kinds of sanctions, they’re going to have no qualms about defrauding you. Debarments are a sign you want to pay attention to, as past behavior is a good predictor of future behavior. There is a wide array of debarment lists maintained by the federal, state and local government as well as several of the larger, multilateral banks (World Bank, European Bank for Reconstruction and Development, Inter-American Bank, etc.)
We’ve seen a significant uptick in demand for master vendor file audits. Not sure what is contributing to this, but a lot of organizations are finding that the volume of vendor contracts requiring auditing is overwhelming and are seeking to leverage electronic tools to detect undisclosed conflicts of interest, fictitious vendors and any vendors who have pending or historical sanctions against them.
Protiviti will continue to promote an ongoing dialogue on fraud, fraud risk, financial crime and corruption through its thought leadership and continuing its webinar series on internal investigations.
Life would be a lot easier if people always behaved honestly and ethically. Nevertheless, anyone who has spent any significant amount of time in the corporate crucible can tell you that employee behavior often falls short of the ideal. Such is life.
Internal investigations — whether for financial fraud or some other type of legal, moral or ethical breach — are a workplace reality. Too often, however, those called upon to conduct these investigations are ill-prepared, having come into their positions based on technical knowledge and functional experience, with little or no background or experience in managing a crisis and/or conducting internal investigations.
The need to perform an internal investigation typically comes without warning. It’s not surprising then that most organizations are not able to produce on the spot experts who have the skill sets, tools and experience necessary to perform an internal investigation.
Rather, the staffing of an internal investigation unit is much more likely to consist of “battlefield promotions” — typically, some combination of internal audit, legal, IT and HR leadership.
Considering the risks, both financial and reputational, a little advance planning could mean the difference between an effective outcome and a disaster. Protiviti Managing Director Scott Moritz teamed with Director Peter Grupe to address this important issue in a free webinar last year, Internal Investigations for Non-Investigators.
The webinar streamed live on November 13, 2014 and is archived by date on the Webinars page of the Protiviti website. Scott is a former FBI special agent and global leader of our Investigations & Fraud Risk Management practice. Peter is a director in the Investigations & Fraud Risk Management practice and served 24 years in various executive management roles in the FBI’s largest white-collar crime branch, where, among other things, he managed the Bernard Madoff investigation. Clearly, these guys have been there, done that.
The live broadcast of their webinar drew a large audience and remains one of the most popular on our site. Here are some takeaways from this conversation — actions every organization should take now, before a crisis arises.
- Develop an investigation plan. A good plan provides guidance for defining the scope of an investigation, the chain of command, communication protocols, timelines, documentation, deliverables and investigative procedures.
- Lay the groundwork in advance. Data preservation is critical — from books and records to email and other electronic data, and includes the ability to recover deleted hard drive contents. Verify the integrity of archived data to ensure that retained records can be retrieved.
- Identify external resources. When things go wrong, they can go wrong in a hurry. If your investigation plan calls for retaining outside counsel, public relations consultants or investigative help, make sure those assets have been identified and that those resources can be “on the ground” quickly.
- Implement a case management system. When your reputation is on the line, you want to be sure you have your investigative infrastructure in place before you need it. You never want to find yourself building the bridge as you cross it.
- Learn from your mistakes. Leveraging the positive and negative results of prior investigations helps organizations compress the learning curve over time, improving investigative efficiency and effectiveness.
Do you have an investigation plan? The heat of battle is no place to be formulating policy. For more information, I highly recommend watching the full webinar. As I said, these guys are good!
Over the past week, since its December 2, 2014 release, anti-corruption nerds everywhere, myself included, have been poring over the recently released Organization for Economic Cooperation and Development (OECD) Foreign Bribery Report – An Analysis of the Crime of Bribery of Foreign Public Officials. For those of you unfamiliar with the report, it is a study of 427 prosecutions of bribery offenses that have been brought in countries that are signatories to the OECD Anti-Bribery Convention, enacted in 1999. The report is a very comprehensive analysis of cases involving bribery of foreign officials, and it debunks some widely held beliefs about bribery and corruption. It also provides valuable insights into the industries in which bribery is most prevalent, categories of bribe recipients and the role of intermediaries, as well as how often corporate management is aware of bribery and how these cases come to light.
Widely Held Belief Number 1: Most Bribes Are Paid in Emerging Markets
The report found that “two-thirds of bribes were paid to officials in countries higher on the UN Human Development Index.” The UN Human Development Index is a composite statistic of life expectancy, education and income indices used to rank countries into four tiers of human development as a means of measuring how developed a country is. While the OECD report pointed out that this number may be somewhat skewed by the fact that more developed countries may be less reticent to share details of their bribery cases, it is a surprising finding nonetheless.
Widely Held Belief Number 2: The Majority of Bribe Payments Are the Acts of Rogue Employees
The report found that 53 percent of cases involved corporate management or CEOs. More specifically, it found that in 41 percent of cases, management-level employees paid or authorized the bribe, and in 12 percent of cases, the CEO was involved. Corporate culture is set by its leadership, and the “tone at the top” is considered one of the ten hallmarks of an effective compliance program. Corporate leadership that tacitly approves bribery with a wink and a nod and gives lip service to compliance but fails to back up compliance personnel and instead overrules them in favor of meeting sales goals or quarterly earnings contributes greatly to this staggering figure.
Widely Held Belief Number 3: Bribery Is Usually the Result of Corrupt Government Regulators or Inspectors
The report examined the unfair business advantages that bribe payers were seeking and found that in 57 percent of cases, bribes were paid to obtain public procurement contracts. The other business advantages sought by bribe payers included customs clearance (12 percent), tax relief (6 percent), other preferential treatment (7 percent), obtaining a license, permit or other form of governmental approval (6 percent) and access to confidential information (4 percent).
The fact that the majority of the 427 cases examined involved bribery to obtain public procurement contracts should cause any company operating outside the U.S. selling to governments and state-owned companies to sit up and take notice. If there is a positive to be gleaned from this statistic, it is that companies involved in bidding on public procurement projects have now been signaled that strengthening controls around public procurement will go a long way toward lowering their exposure to liability under the various anti-bribery statutes to which they may be subject.
Widely Held Belief Number 4: There Is a Staggering Array of Categories of Foreign Official that Could Trigger Corruption Liability
There is, indeed, a wide range of individuals who meet the definition of “foreign official” or “foreign government official.” However, the report shows that 95.1 percent of all bribe value was paid to public officials in only five categories: officials of state-owned enterprises (SOEs) (80.1 percent), heads of state (6.97 percent), government ministers (4.08 percent), defense official (2.93 percent) and customs officials (1.14 percent). Given the volume of bribe value being paid to officials of SOEs, is it any wonder that defense attorneys have been seeking to challenge the terms “foreign official” and “instrumentality of a foreign government”? When considered together with the fact that 57 percent of bribery cases relate to public procurement, this statistic makes board room discussions even more critical within any organization seeking a government contract and engaging with officials of SOEs, heads of state and government ministers in the process.
We’ve had numerous discussions with clients over the years that started with the sentence: “We just had a very uncomfortable conversation with the SEC.” They continue by elaborating that they couldn’t answer basic questions, including “Which of your customers are state-owned, how do you arrive at those conclusions and what is the heightened standard of care that you hold them to?” You either know the answers to these questions or you don’t. Given the statistics we just quoted, companies with international operations would be well served by being able to distinguish readily between the SOEs and government agencies and the private enterprises in their customer base. Companies that can’t answer this basic question and articulate how they go about mitigating the risks associated with interacting with employees of SOEs are not likely to receive a determination of an effective compliance program from anyone who matters.
Other Findings of Note
Numerous Signatory Countries to the OECD Anti-Bribery Convention Have Never Prosecuted a Single Bribery Case
Aside from debunking some widely held beliefs about bribery, the OECD Foreign Bribery Report offered some other very interesting facts, including in what it didn’t explicitly point to. One such noteworthy implication is that there are 41 signatory countries to the OECD Anti-Bribery Convention, yet the 427 prosecution cases brought since its going into force in 1999 come from only 17 countries. Thus, 24 signatory countries to the OECD Anti-Bribery Convention have not prosecuted a single bribery case since signing. Worse still, seven of the 17 who have prosecuted bribery schemes have only prosecuted one scheme each since signing.
The “Hall of Shame” of non-prosecutors includes Argentina, Australia, Austria, Brazil, Chile, Colombia, Czech Republic, Denmark, Estonia, Finland, Greece, Iceland, Ireland, Israel, Latvia, Mexico, New Zealand, Portugal, Russia, Slovakia, Slovenia, South Africa, Spain and Turkey. Nor do Belgium, Bulgaria, Hungary, Luxembourg, Netherlands, Poland and Sweden have much to brag about, as they have each prosecuted only one bribery scheme since signing to the Convention.
Internal Audit and Mergers & Acquisitions (M&A) Activities Triggered Nearly 20 percent of Cases
According to the report, one-third of cases were instigated by self-reporting. Of those, 31 percent were triggered by internal audits and 28 percent by M&A due diligence activity. In total, nearly 20 percent of cases reported to law enforcement were uncovered through this combination of internal audits and M&A due diligence. This fact clearly demonstrates the importance of two of the ten hallmarks of an effective compliance program: Continuous Improvement: Periodic Testing and Review, and Mergers and Acquisitions: Pre-Acquisition Due Diligence and Post-Acquisition Integration.
Internal Audit. In most organizations, internal auditors are generalists. But when considered an extension of the organization’s anti-corruption program – as supported by the report finding – it’s obvious why internal audit should receive advanced anti-corruption training. Specifically, internal auditors should understand key concepts comprising the various anti-corruption statutes to which the organization is subject, the risk factors that can trigger liability, the types of red flags indicative of potential problems, and the investigative steps to follow in the event they suspect a potential violation.
Due Dilligence. According to the Resource Guide to the U.S. Foreign Corrupt Practices Act (FCPA Guide), jointly published by the SEC and the U.S. Department of Justice in 2012, “Inadequate due diligence can allow a course of bribery to continue – with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability. In contrast, companies that conduct effective FCPA due diligence on their acquisition targets are able to evaluate more accurately each target’s value and negotiate for the costs of the bribery to be borne by the target.”
An important and sometimes overlooked aspect of acquisition due diligence is the performance of an anti-corruption risk assessment. In a perfect world, all acquisition targets have robust anti-corruption programs. In actuality, many small and midsize companies operating overseas do not have any type of anti-corruption program. That is why the performance of a high-level anti-corruption risk assessment is so important.
Gaining an understanding of the company’s ownership group, executive team, customer base, distribution channels, sales and marketing, products and services, activities, and ties to foreign officials will better position a potential acquirer to evaluate the true purchase price, inclusive of any compliance remediation work that may be necessary to properly integrate the entity post-acquisition. Not only will doing an anti-corruption risk assessment on the front end lower the risk of a future bribery violation, it could provide the acquiring company with additional leverage in negotiating a more favorable purchase price.
75 Percent of Cases Involved Payments Through Intermediaries
The OECD Foreign Bribery Report validated what most everyone in the anti-corruption field has known for a long time: the majority of bribes (75 percent) are paid by intermediaries. Of these, 41 percent fall into the category the report refers to as “agents.” The term is actually broader than the name suggests and includes sales and marketing agents, distributors and brokers. The next most popular type of intermediary (35 percent) is what the report calls “corporate vehicle.” Corporate vehicle is a term for a mishmash grouping of subsidiary companies, local consulting firms, offshore companies in tax havens and companies established under the beneficial ownership of bribe payers or recipients.
While third-party anti-corruption due diligence has become a cottage industry in the past five years or so, many organizations still employ a fairly minimalist approach to vetting their intermediaries, focusing most if not all of their efforts on commissioned sales agents since they represent the greatest degree of risk. While for most companies placing their initial focus on agents is justified, many other categories of intermediaries also pose potential corruption liability. Companies would be well served by conducting an inventory of their business intermediaries so that they can categorize them based upon the relative bribery risk they may represent. Such categorization should include how long the intermediary has been in existence, whether its primary role is to engage with a specific government agency or state-owned company on behalf of its clients and whether any of its control persons were previously in senior roles within those agencies or SOEs.
Often overlooked in the group of intermediaries are service providers such as attorneys or accountants. And before the GlaxoSmithKline case, who would have thought that there was intermediary risk associated with travel agents? A critical success factor for understanding third-party risk is to identify the universe of business intermediaries and focus attention on what they do rather than what label is used to describe them. Often, entities working in a commissioned sales agent role are referred to as “consultants,” which could cause this category to be overlooked, especially if the third-party management program is sales agent-centric. A more useful approach is to focus on compensation, including whether the intermediary is paid as a percentage of a sale or on a contingency fee or success fee basis.
The OECD Foreign Bribery Report provides the latest evidence that foreign bribery remains pervasive, and enforcement outside of just a handful of OECD signatory countries ranges from infrequent to non-existent. It paints a vivid picture of corruption as global and spanning multiple industries, with bribe payers who are increasingly sophisticated in how and through whom they pay bribes and how they conceal their activity through a web of opaque legal entities in offshore safe havens.
The report should be required reading for anyone in compliance and for any company’s senior leadership. By studying the report and understanding the various ways that companies can trigger liability under the FCPA and other international anti-bribery statutes, companies can develop better anti-bribery controls and raise awareness across their organizations, through their sales and distribution channels and into their customer bases. By applying the lessons learned from the report and through their own experiences and tailoring their programs accordingly, companies will become less attractive to bribe takers, and unscrupulous third parties and employees may think twice before paying bribes if they think they are at risk of detection and prosecution.
Managing Director – Leader, Protiviti’s Investigations and Fraud Risk Management Practice
Managing Director – Leader, Protiviti’s Incident Response and Forensics Practice
In recognition of the Association of Certified Fraud Examiners and International Fraud Awareness Week, Protiviti, whose practitioners include over 100 members of the ACFE, is releasing a series of tips on fraud awareness to assist the ACFE in communicating the many ways that fraud can affect your organization. We also suggest proactive steps you can take to better position you and your organization in the ongoing fight against fraud.
Cyber-crime targeting of commercial enterprises and organizations is rampant. Increasingly sophisticated organized crime groups are gaining improper access to point-of-sale systems and corporate networks to steal credit card numbers, expiration dates, account holder names and CVV codes, intellectual property, as well as other sensitive data.
In addition, certain countries have historically utilized their intelligence agencies to use intelligence-gathering techniques to steal information such as computer source code, product formulas, and design information about new products or processes. These types of state-sponsored economic espionage often target technology-centric industries, including computer software and hardware, biotech, aerospace and defense, telecommunications, transportation and engine technology, automobiles, machine tools, energy, materials and coatings, and so on.
The high-tech sector is widely considered to be the most frequently targeted area for economic espionage, although any industry with information of possible use to foreign governments and their commercial sectors is at risk. Increasingly, these government intelligence agencies are using hacking techniques to gain access to commercial secrets.
Whether it is organized crime that is seeking to gain access to your network or a foreign government seeking to obtain the product formulation of the next wonder drug, companies’ most valuable information is stored electronically on their networks and individual computer workstations. While companies expend tremendous sums of money and resources securing their networks and testing their security, sometimes the issue is not knowing the universe of sensitive data that they possess, where and how it is stored, and who has access to it.
Knowing where your data resides is, in many instances, half the battle. Trying to identify an organization’s “crown jewels,” or key assets, is equally important. Boards of many major corporations are scrambling to implement security controls to processes in order to safeguard their organizations, but many also need to focus on risk management to identify their crown jewels when implementing these controls and safeguards.
Often, information about what valuable data the company has, where it is stored and who may have access to it is determined only after there has been a breach. As network security experts trace the activities of the hackers to see what systems and applications were accessed illicitly, they learn what information was stored and whether it was exfiltrated from those devices. Indeed, one of the most challenging issues for internal auditors as well as IT security professionals is, when assessing their company’s information security, not only understanding the systems and the security controls designed to monitor, detect and prevent data breaches, but also taking an inventory of the various categories of sensitive data stored electronically across the organization, identify where specifically it is located, and who has access to it.
Without this critically important information, internal auditors and others charged with the responsibility of assessing the effectiveness of network security and the extent to which the company’s most sensitive data may be exposed are severely restricted.
Some sensitive data is of obvious interest to hackers, and it is fairly straightforward to assess how it is collected, where it is stored and how it can be accessed. Knowing who and when data was accessed is equally, if not more, important. Being able to pinpoint who has accessed data is critical to any organization trying to protect its data. Logging and monitoring controls enable organizations to accomplish this.
During a forensics investigation, trying to find the source of a breach is like trying to find a needle in a haystack. And without logging and monitoring controls or limited controls, that needle in the haystack becomes a needle in an open field. Sensitive data includes customer information, credit card numbers, personnel records, and payroll and banking information, among other assets deemed to be the organization’s crown jewels. The challenge is in determining what other types of sensitive data may exist and where. Such sensitive information includes corporate development (M&A) information, prototypes, source code, customer lists, proprietary pricing information, legal files, human resources data, and other data that, were it to be released, would be commercially damaging to the company.
What steps should companies take to better understand where their valuable data is?
- Before companies understand where it is, they need to understand what it is or what their crown jewels are.
- Survey key business units and obtain a list of their most sensitive data and IP by category.
- Determine what added security may be in place to protect that data.
- Request information about where the data is stored, how it is secured and how access is controlled.
- Integrate what is learned by this data gathering exercise into future IT security audits.