In the world of anti-corruption internal controls, there is no “one-size-fits-all” model. Ideally, design and implementation of such controls should be thoughtful, rigorous and based on a robust and re-performable corruption risk assessment.
There are, of course, a number of sources of high-level guidance available, ranging from the DOJ / SEC FCPA Guidance, the OECD’s Good Practice Guidance on Internal Controls, Ethics, and Compliance, Transparency International’s Business Integrity Toolkit, and the UK Ministry of Justice’s Guidance about procedures to prevent bribery, among others.
However, none of these is intended to provide an exhaustive checklist of individual internal controls to combat corruption risk, and unfortunately, relatively little guidance about specific anti-corruption controls is available to businesses on a more granular level. Thus, compliance, legal, finance and internal audit leaders face the challenge of hitting the “sweet spot” — that is, designing and implementing internal controls that combat the corruption risks they face without overwhelming their available resources, such as management’s time and attention, much less cash available for compliance undertakings.
Nevertheless, a recent SEC administrative proceeding provides some insight into government expectations about anti-corruption internal controls. Specifically, its settlement with Bruker Corporation contains language not only about gifts, travel and “suspect collaboration agreements” with Chinese government officials and intermediaries, but also about its view of decentralized compliance programs, policy translation, ethics hotline availability, and independence of both compliance and internal audit functions.
With respect to translation, the SEC wrote in relevant part,
Bruker did not translate its training presentations on FCPA, ethics, or compliance issues into local languages, including Mandarin. And although Bruker implemented an FCPA policy in 2006, it failed to translate that policy into Mandarin and relied mainly on its China-based managers to ensure that employees understood the potential FCPA implications of doing business with SOEs. Also, while Bruker periodically distributed its Code of Conduct (containing its gifts and entertainment policies) and employee handbook to employees worldwide, it again failed to translate these documents into local languages, including Chinese.
Does this mean that any business operating in China ought to translate all its compliance documentation into local languages? The answer (as is usually the case in the compliance field) is: it depends.
The SEC signals the level of risk faced by Bruker by pointing out that the “Bruker China Offices… sold their products primarily to SOEs.” This indicates that the SEC may have perceived a higher level of corruption risk based on Bruker’s customer profile, all other things being equal, and would thus have expected stronger internal controls, such as translated policies, training, etc.
The excerpt above also discusses the idea of a decentralized compliance program (“…relied mainly on its China-based managers to ensure that employees understood…”), and the SEC further clarifies in the subsequent paragraph in the order, which reads in relevant part,
Bruker also failed to adequately monitor and supervise the senior executives at the Bruker China Offices to ensure that they enforced anti-corruption policies or kept accurate records concerning payments to Chinese government officials. The Bruker China Offices had no independent compliance staff or an internal audit function that had authority to intervene into management decisions and, if appropriate, take remedial actions. Bruker also failed to tailor its preapproval processes for conditions in China, instead allowing the Bruker China Offices approval over items such as nonemployee travel and changes to contracts. As a result, senior employees of the Bruker China Offices had unsupervised control over the compliance process; these employees in turn abused their privileges, approving suspect payments to Chinese government officials for non-business related travel and for purported Collaboration Agreements.
This excerpt again reinforces the idea of a risk-based set of internal controls “tailored… for conditions in China.”
More importantly, it appears to argue for independent oversight of the compliance process, which is, in our view, typically a tough balancing act for companies to get right. How should this independent oversight be executed? Practically speaking, clients often ask for external advice from experienced anti-corruption counsel or forensic accounting professionals, or groom internal resources for such oversight roles, based on a cost-benefit analysis alongside their dynamic corruption risk assessment.
There is, as yet, no perfect answer to the question “how much is enough?” But a careful reading of the SEC’s order in Bruker may provide a bit of insight into “how much is too little?”
* * *
The SEC’s order as Securities and Exchange Act of 1934 Release No.73835, Accounting and Auditing Enforcement Release No. 3611, and Administrative Proceeding File No. 3-16314 (all dated December 15, 2014) is here (pdf).
Pete Viksnins, a long-time friend of the FCPA Blog, recently joined the Forensic, Investigative and Dispute Services practice at Grant Thornton LLP, based in McLean, Va. He’s also an adjunct professor at The George Washington University, where he teaches the Fraud Examination and Forensic Accounting course to Masters of Accountancy candidates. He can be contacted here.