On this date in 1864, the Union Army phase of the destruction of Atlanta began. While most Southerners credit Union General William T. Sherman with the burning of Atlanta, it was, in reality, Confederate General John Bell Hood who ordered the burning of the armament works that started the destruction. Sherman merely finished it. But whoever started or finished it, the result was horrific for the city. By one estimate, nearly 40 percent of the city was ruined, leaving, as one commentator noted, “little but a smoking shell.” Unfortunately for the Confederacy, this is not the last we will hear about either General Sherman or General Hood.

The Bio-Rad Laboratories Inc. (Bio-Rad) Foreign Corrupt Practices Act (FCPA) enforcement action has provided a wealth of information and lessons to be learned by the compliance practitioner. In Parts I and II I reviewed the facts of the Bio-Rad enforcement action and the specified remedial steps that the company has agreed to take. Today, I want to mine the Deferred Prosecution Agreement (DPA), the company received from the Department of Justice (DOJ) and the Securities and Exchange Commission’s (SEC) Order Instituting Cease-and-Desist Proceedings (Order) and detail the specific internal controls that I think might have helped the company. (I will really try not to get carried away and have a Bio-Rad, Part IV but there is tons of great stuff in this one so there is no telling as I begin to write this post where I might end up.)

For many managers the default mode is to stay within silos and, as noted by Andrew Hill in his article in the Financial Times (FT) entitled “The default mode for managers needs a reset”, that such persons are “suspicious of ideas that are “not invented here.” This may lead them to becoming “detached from the purpose, and even values, of the company.” This can be particularly true of changes required by an anti-corruption compliance program which many business development types fear will change the status quo in a manner, which “puts at risk predictable, comfortable routines.”

Even with the three different bribery schemes used by Bio-Rad in three different countries, some general statements can be made. Obviously the use of a third party representative in Russia was fraudulent. However a robust system of internal controls might not have only detected such conduct but also prevented it if the Emerging Markets Regional Manager and/or any of the team under him knew that they would be checked by a second set of eyes on what they were doing.

I will focus on four areas of internal controls that were sorely missing from the company during its bribery scheme heyday:

• Delegation of Authority (DOA)
• Maintenance of the vendor master file
• Contracts with agents
• Movement of cash / currency.

Delegation of Authority 

Your DOA should reflect the impact of FCPA risk (transactions and geographic locations) to result in higher levels of approval for matters involving agents and for funds transfers and invoice payments to countries outside the US. If properly prepared and enforced, the DOA can be a powerful preventive tool for FCPA compliance, unfortunately this is not often the case as very often the DOA is prepared without much thought given to FCPA risks.

Properly utilized in a FCPA risk based process, the DOA takes into account the increased risk posed by certain types of transactions and by certain geographic locations. The DOA then provides for a higher level of scrutiny for higher risk transactions. This means that the DOA should specify who must give the final approval for engaging agents. Yet the DOA might distinguish between approval of vendor invoices for “routine” third party representatives and those from high-risk third party representatives, such as agents. Finally, the DOA should be integrated into the accounts payable processing system in a manner that ensures all high-risk vendor invoices receive the proper visibility. Identifying high-risk third party representatives can often be done within the vendor master file so payments to them are identified for appropriate approval BEFORE they are paid.

Vendor Master File

The vendor master file can be one of the most powerful PREVENTIVE control tools. This file should be structured so that each vendor can be identified not only by risk level but also by the date on which the vetting was completed and the vendor received final approval. Electronic controls should be in place to block payments to any vendor for which vetting has not been approved. Manual controls are needed over the submission, approval, and input of changes to the vendor master file. These controls include verification that all third party representatives have been approved before their information (and the vendor approval date) are input into the vendor master. Manual controls are also needed when “one time” third party representatives are submitted, when vendor name and/or vendor payment information changes are submitted.

Contracts with Third Party Representatives

As demonstrated with the Bio-Rad enforcement action, contracts with agents are typically not integrated into an internal control system. They are left to operate on their own. Indeed in the case of Bio-Rad it is not clear if the compliance function had visibility into this process at all. However, to provide effective control, relevant terms of those contracts should be extracted and be made available to those who process and approve vendor invoices. This would also include a review of the commission rate for sales agents and the discount rate for distributors. To accomplish this, once the third party representatives are flagged as high-risk, and before any payments are made, the invoices are pulled for review and approval in accordance with the DOA. Such review would require that nonconforming service descriptions, commission rates, etc., must be approved not only by the original approver but also by the person so delegated in the DOA. This provides the necessary PREVENTIVE control to intercept questionable amounts before they are paid.

Disbursements of funds

All situations in which funds can be sent outside the US (accounts payable computer checks, manual checks, wire transfers, replenishment of petty cash, loans, advances, etc.,) should be reviewed from a FCPA risk standpoint. The goal is to identify the ways in which a country manager could cause funds to be transferred to their control and to conceal the true nature of the use of the funds within the accounting system. Controls need to be in place to prevent such activities. This would require that wire transfers outside the US have defined approvals in the DOA, and the persons who execute the wire transfers should be required to evidence agreement of the approvals to the DOA. Moreover, wire transfer requests going out of the US should always require dual approvals. Finally, wire transfer requests going outside the US should be required to include a description of proper business purpose and over certain level, there should be an additional review (yet another ‘second set of eyes’).

What about Hill and his default mode for managers to stay in their silos and never come out or allow change in their regions, such as was the case with the Bio-Rad Emerging Markets leadership team? This can occur in the compliance arena when the compliance function receives push back and is told the controls are too burdensome and also make operations less efficient. One of the areas available to a compliance professional is benchmarking from other company’s compliance experiences. However this can be expanded into solid presentations about why it is important to assess and mitigate FCPA risks using your corporate peers that have been the subject of a FCPA enforcement action. This is some of the best sources of information a compliance practitioner can avail his or herself of to provide good insight into why it was never expected that the company would be subject to FCPA enforcement and insight into the extreme disruption, cost, and anxiety which accompanied the enforcement actions.

Another key factor, as with all FCPA compliance initiatives, is ‘Tone at the Top’. This means that you should meet with and present the case for FCPA-focused internal controls to your company’s Executive Leadership Team (ELT), Audit Committee of the Board or other appropriate group of senior executives. The presentation should include, with examples, the importance of identifying and mitigating the FCPA and fraud risks. Some of these might include the following:

• Illustrating the examples of how the controls can prevent bribery as well as many other types of occupational fraud;
• Illustrating that the controls needed are all sound business controls, nothing exotic or out of the ordinary;
• With proper control design, it may be possible to eliminate some existing detect controls in favor of more useful preventive controls or even prescriptive controls;
• As a result of your business changes and resulting changes in assessed risks, it may be that some procedures now being performed are no longer needed and the resources can be shifted to more necessary controls; and
• It may be possible to build in more electronic controls, which can replace existing manual controls.

As we end today’s post with Atlanta burning, Andrew Hill tearing down silos so that a company like Bio-Rad can put appropriate FPCA internal controls in place and arm the compliance practitioner with a wealth of information and lessons which can be applied to your own compliance program, all courtesy of Bio-Rad, I find that there is one more significant lesson to be taking away from this enforcement action, however I will save that for another day.