FCPA Compliance Audits: Lessons from Recent Investigations Monitoring and Improving the Effectiveness of FCPA Compliance Programs

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

TUESDAY, NOVEMBER 26, 2013

Presenting a live 90-minute webinar with interactive Q&A

Peter Viksnins, Director in the Forensic Services, PricewaterhouseCoopers, Washington, D.C.

Albert A. Vondra, Partner, PricewaterhouseCoopers, Cleveland

David A. Wilson, Partner, Thompson Hine, Washington, D.C.

Tips for Optimal Quality

Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-888-601-3873 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:

• In the chat box, type (1) your company name and (2) the number of attendees at your location

• Click the word balloon button to send

FOR LIVE EVENT ONLY

David A. Wilson Thompson Hine Albert A. Vondra PricewaterhouseCoopers Peter Viksnins PricewaterhouseCoopers, Washington, D.C.

• U.S. Sentencing Guidelines • DPA/Plea Agreement terms • US/International/UK Bribery Act Guidance • Evolving concept of “best practices”

5

§8B2.1. Effective Compliance and Ethics Program • The organization shall take reasonable steps—

₊ to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct;

₊ to evaluate periodically the effectiveness of the organization’s compliance and ethics program; and

• The organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify [program elements] to reduce the risk of criminal conduct identified through this process.

6

"Periodic review and testing of the compliance code, standards and procedures designed to evaluate and improve their effectiveness in preventing and detecting violations of anti-corruption laws and [company's] compliance and ethics program, taking into account relevant developments in the field and evolving international and industry standards.“

7

• In addition to discussion of auditor obligations, SEC & DoJ mention internal audits several times in the guidance, including:

• “DOJ and SEC encourage companies engaging in mergers and acquisitions to: … conduct an FCPA-specific audit of all newly acquired or merged businesses as quickly as practicable” (page 29)

• “As a company’s risk for FCPA violations increases, that business should consider increasing its compliance procedures, including due diligence and periodic internal audits.” (page 59)

8

“Periodic reviews of the ethics and compliance programmes or measures, designed to evaluate and improve their effectiveness in preventing and detecting foreign bribery, taking into account relevant developments in the field, and evolving international and industry standards.” OECD Good Practice Guidance on Internal Controls, Ethics, and Compliance

9

MOJ Guidance regarding Adequate Procedures under UKBA • Principle 3: The commercial organisation assesses the nature and extent

of its exposure to potential external and internal risks of bribery on its behalf by persons associated with it. The assessment is periodic, informed and documented.

• Principle 6: The commercial organisation monitors and reviews procedures designed to prevent bribery by persons associated with it and makes improvements where necessary.

• Recent SFO guidance on self-reporting: “no guarantee that a prosecution will not follow.”

10

Compliance Program Assessment • Company-wide • Review of program components

Risk Assessment • Company-wide or site-specific • Identify corruption risk areas

Compliance/FCPA Audits • Site-specific • Evaluate site’s compliance with laws and policies • Transactional testing and interviews

11

Pfizer DPA (August 2012) • Risk Assessments

+ Risk-based program of annual reviews of high-risk markets based on business and location

+ Five markets identified and reviewed annually

12

Each FCPA Audit shall include: • On-site visits by a team from Compliance and, when appropriate, Legal

and qualified auditors who have received FCPA and anticorruption training. • Review representative sample of contracts, payments to government

officials, healthcare providers and other high-risk transactions. • Creation of action plans resulting from issues identified during audits with

undertakings designed to enhance anticorruption compliance, repair process weaknesses, and deter violations.

• Where appropriate, feasible, and permissible under local law, review of the books and records of distributors

13

Pfizer DPA (August 2012) ($15MM Criminal Penalties, $45.2 in disgorgement and interest) • Nine-point compliance program mandated, requiring:

₊ corporate policy against violations; ₊ application to all employees and outside parties acting on company’s

behalf; ₊ appointment of responsible executives who report to Board ₊ training and certifications ₊ reporting system for violations ₊ disciplinary procedures; ₊ due diligence on agents and business partners; ₊ standard contract provisions; ₊ periodic testing of code, standards and procedures

14

• In a recent (August 2012) SEC settlement, the regulators alleged that a company “…failed to audit and compare the distributor's margin against the end user price to ensure excess margins were not being built into the pricing structure…” and “failed to seek transparency in or audit third party payments made by distributors…”

• This case was also the first time the SEC made an FCPA Books & Records and Internal Controls charge without an attendant allegation of bribery, for “creating the potential for bribery or embezzlement.” 15

• Detect and deter violations • Reassess risk profile • Test compliance program effectiveness • Satisfy government expectations

₊ Involvement of senior management

16

• A risk-based process that can be consistently and systematically applied to operations across the globe

• Appropriate depth and scope in light of resources and risks • Cost-effective and non-disruptive to business • Preserve privilege where appropriate

17

I. Why conduct an anti-corruption risk assessment? II. Measuring risk factors III. Scope of an FCPA audit IV. Operations compliance assessment V. FCPA Compliance – Course of action for companies VI. Questions and answers

18

Downside of forgoing risk assessment • Fines and Penalties • Reputational risk • Shareholder litigation • Corollary prosecution • Wasting resources on low-risk

areas/focusing on the wrong areas

19

Upside of performing a risk assessment • Cost effective program • Business partner competitive

advantage • UK Bribery Act Adequate

Procedures Defense • Insurance claims

• Industry’s Compliance Problems • Company’s Compliance History, Audit Findings • Senior Management – involvement and commitment • Nature and locations of business/transactions • Use of third parties, vendors, suppliers • Documentation and support – books and records • Business with government entities

20

21

GEOGRAPHY Operating locations and export destinations 2012 Transparency International Corruption Perception Index: Scores countries 1-100 scale, with 100 representing least perception of corruption and 1 being highest perception of corruption. World Bank’s World Wide Governance Index: Measures regulatory quality, control of corruption, political stability, and absence of violence.

22

Top Five Score Bottom Five Score

Denmark 90 Myanmar 15

Finland 90 Sudan 13

New Zealand 90 Afghanistan 8

Sweden 88 North Korea 8

Singapore 87 Somalia 8

23

24

• Contacts with Government, for example ₊ Customs ₊ Immigration ₊ Tax Authorities ₊ Litigation ₊ Customers ₊ Regulators

• Industry-specific risks • Channels to market: third parties

25

• Compliance - policies and procedures • Third party agreements and payments • Payments to foreign officials • Charitable contributions/donations • Payments - gifts, T&E, hospitality, facilitation • Sponsorships • Opening and maintenance of bank accounts • Cash – petty cash/advances • Import and export

26

• Finance and Accounting —Discussions to be held with, but not limited to, Accounting Manager —Analyze Chart of Accounts for other high risk accounts; and where high risk

transaction could be recorded —Analyze Local Policies and Procedures —Payment testing

• Gifts and Hospitality —Discussions to be held with, but not limited to, Accounting Manager —Analyze Chart of Accounts

—Gifts —Gratuities —Entertainment

—Analyze Local Policies and Procedures —Payment testing

27

• Expense Reports + Obtain policies regarding employee expense reimbursement + Determine whether reimbursements are made to non-employees

– Obtain explanation and purpose + Select representative reports for individuals including but not limited to

– Director, managers, sales representatives – Examine approval and documentation for reimbursements – Assess adequacy of documentation – Assess validity of business purpose – Assess compliance with expense reimbursement policies – Identify employee reimbursements where a government official was

present + Identify travel or other expenses paid to vendors, representatives or agents on

behalf of a government official

28

• Tenders and Contracts + Meetings should be held with, but not limited to, head of sales and/or

operations manager. + Obtain an understanding of company’s revenues stream

– Main customers – Government (direct or indirect sales) – Contracts

+ Anything of value provided + Tender process

– Responsibility and involvement in participation + Assess policies and procedures related to discounts, rebates, allowances, and

commissions, and how they are recorded. + Contract testing + Payment testing

29

• Third Parties + Discussions should be held with personnel dealing with distributors /sales

agents and others used as channels to government customers (third parties). + Obtain and analyze a third party listing + Obtain an understanding of policies related to payments to third parties + Is due diligence performed by Company prior to retaining third parties

– Are there periodic updates and knowledge of dealings? + Are there any “above average” commissions or discounts? + Approval process for certain third party activities. + Right to audit? Is it exercised? + Does Third Party makes disbursements on behalf of the Company? How are

they reimbursed + Contract testing + Payment testing

30

• Assignment of a corporate official to oversee compliance with policies, standards, and procedures regarding anticorruption laws. Reports directly to AC and BOD.

• Issuing clear company policies (in each jurisdiction) on what constitutes unacceptable behavior and enforcing the prescribed consequences.

• Installation of a mechanism which is accessible and provides anonymity to report concerns. • Performing frequent risk assessments/field tests/audits to determine whether employees

understand company policies and testing the adequacy of existing programs and controls. • Streamlining and integrating payment systems to easily see where, why, and how much

money is being spent. • Regularly testing payment systems and controls to gain transparency into high risk

expenditures. • Thoroughly and regularly training employees to address the enforcement of international

anticorruption standards. Implementation of annual certification process for senior management.

• Routinely conducting due diligence on third parties, such as agents, sales consultants, distributors, and vendors.

• Completion of due diligence by legal, accounting and compliance prior to acquisition.

31

• Scope • Resources • Control • Costs • Access to Information • Handling the results • Collateral consequences

32

• Tailoring scope • Board and senior management involvement to define scope

and allocate resources (internal and external) • Business segments; foreign subsidiaries; JVs; third parties • Defining audit period

+ scale, resources, time to completion

33

• Many levels of audit depending on risks, audit history • Tailor to company’s circumstances • Define clearly up front; refine if warranted • Draft plan before starting with goals, scope, processes,

responsibilities and categories of tasks defined • Build in accountability and reporting

34

• Disruption to business • Costs • Internal personnel • External consultants, lawyers

35

• Outside auditors • Internal audit • Resource constraints? • Consultants • Counsel • Outside lawyers have expertise but are costly • In-house lawyers know the company but their objectivity can

be questioned • What, if any, privilege can be maintained

36

• Board/Audit Committee • Internal audit/Compliance • In-house counsel • Critical component of cost-effectiveness

37

• Develop budget with input from all participants • Break down tasks and align responsibilities with expertise • Combine audit with training to minimize travel • Stick to audit plan unless explicitly revised • Reporting and accountability

38

• Local laws on privacy • Interviews • Email collection • Uncooperative or reluctant employees • Third parties • Availability of information on agents, business partners

39

• Consult local counsel on privacy issues • Communicate goals of audit to employees • Invoke contractual rights with third parties or revise contracts • Must be even-handed

40

• Critical for effectiveness and credit • Disciplinary action • Changes in business partners • Training • Process changes • Preserve information • Reporting out • To board/audit committee • To government authorities (based on advice of counsel) • Value of self-disclosure, remediation

41

• Plan for corrective action as part of audit • Regular reporting up when issues arise

42

• Swift action is key • Heightens need for frequent audits • Whistleblower dangers

₊ Incentive to report before company does • Must show company takes compliance seriously

43

• Government investigations • Shareholder and derivative litigation • Disgorgement and penalties • Attorney’s fees • Reputational damage

44

David A. Wilson Thompson Hine, Washington, D.C. 202.263.4161 David.Wilson@thompsonhine.com Albert A. Vondra PricewaterhouseCoopers, Washington, D.C./Cleveland 703.918.1534/216.363.5812 al.vondra@us.pwc.com Peter Viksnins PricewaterhouseCoopers, Washington, D.C. 703.918.1514 peter.viksnins@us.pwc.com

45

Slide Number 1Tips for Optimal QualityContinuing Education CreditsImplementing Audits to Bolster Effective FCPA Compliance Programs�PART I:�Compliance LandscapeU.S. Sentencing GuidelinesCommon DOJ Settlement TermsSEC/DoJ FCPA Resource GuideInternational GuidanceUK Bribery ActTypes of Compliance Reviews and AuditsExample of Assessment/Audit Approach Endorsed by DOJExample of Assessment/Audit Approach Endorsed by DOJ (con’t)�Pfizer DPACompliance Program Components Endorsed by DOJEvolving Regulatory ExpectationsBenefits of Compliance Reviews and AuditsGoals in Designing Testing ProtocolPART II:�Conducting an AuditWhy assess corruption risk?�Upsides and DownsidesRisk assessment – Items to considerRisk assessment: �Measuring risk factorsRisk assessment: �Measuring risk factorsRisk assessment: �Measuring risk factorsRisk assessment: �Measuring risk factorsAreas of FocusScope of an FCPA Audit Includes:Operations Compliance AssessmentOperations Compliance AssessmentOperations Compliance AssessmentOperations Compliance AssessmentFCPA Compliance �Things companies should be doingPART III:�Some Challenges of Compliance ReviewsIdentifying ScopeDefine appropriate scopeResource managementWho conducts the review?Who Controls the ReviewControlling CostsRestrictions on AccessOvercoming Access ChallengesWhat to do with the resultsOvercoming InertiaDodd-Frank ImplicationsCollateral ConsequencesSlide Number 45Slide Number 46Slide Number 47Slide Number 48