fraud-related compliance...© 2015 association of certified fraud examiners, inc. fraud-related...

© 2015 Association of Certified Fraud Examiners, Inc.

Fraud-Related Compliance

Areas of Compliance, Part 1:

FCPA, SOX, PCAOB, Dodd-Frank

© 2015 Association of Certified Fraud Examiners, Inc. 2 of 27

Foreign Corrupt Practices Act (FCPA)

Enacted to prohibit corrupt payments to foreign

officials and political organizations

Enforced by the Department of Justice (DOJ)

and the Securities Exchange Commission

(SEC)

Two principle components of the FCPA

• Anti-bribery provisions

• Accounting provisions


FCPA Anti-Bribery Provisions

Provisions make it

illegal to bribe foreign

government officials

to obtain or retain

business.

Violations can result

in fines and

imprisonment.


Elements of an FCPA Bribery Violation

A regulated party

Makes a payment or offer

To a foreign official or political organization

With a corrupt motive

For the purpose of influencing an official

The payment relates to a specific business

purpose


FCPA—Regulated Parties

Issuer—corporations, including foreign entities,

that must file reports under the Exchange Act

(publicly traded companies)

Domestic concern—includes U.S. citizens,

nationals, residents, and businesses organized

in or with their principal place of business in the

United States

Foreign nationals/businesses that take any act

in furtherance of a corrupt payment in the United

States


FCPA—Payment or Offer

to a Foreign Official

Payments and offers include anything of value.

Foreign official—any officer or employee of a

foreign government or public international

organization

• Includes executives and elected officials

• May include managers of state-owned institutions


FCPA—Corrupt Intent

The person authorizing

the payment must have

corrupt intent.

Constructive knowledge

or willful blindness

satisfies this element.


FCPA—Purpose

For the purpose of influencing an official

• The payment’s purpose must be to influence an

official’s actions, decisions, or lack thereof that violate

the official’s duties.

Business purpose

• Includes payments to obtain/retain business, gain

special treatment under the law, or to obtain

permits/licenses.


Exceptions/Defenses to FCPA

Routine governmental actions (grease

payments)

• Focus on the underlying purpose of the payment.

• Higher payment(s) will draw regulator’s attention.

Affirmative defenses

• It is lawful payment in the foreign country (most

bribes are not lawful anywhere).

• Payment was reasonable and bona fide expenditure

related to product promotion or performance of

contract.


FCPA Accounting Provisions

Apply to publicly traded

companies and

subsidiaries

Recordkeeping

Internal controls

Penalties for entities

• Civil: up to $500,000

• Criminal: up to $25 million


FCPA—Recordkeeping Provision

Rule 13b2-1—unlawful to falsify any book,

record, or account

Rule 13b2-2—unlawful to supply false

information to auditors

Even if records are quantitatively correct, they

must not fail to specify qualitative aspects that

reveal the true purpose of a payment (e.g.,

mischaracterizing a grease payment).


FCPA—Internal Controls Provision

Internal control

provisions written to

prevent unauthorized or

unrecorded

transactions

Companies must:

• Maintain robust

compliance policies.

• Take reasonable action

to ensure affiliate

compliance.


FCPA—Internal Controls Provision

Factors considered by SEC to evaluate internal

controls:

• Role of board of directors

• Communication of policies and procedures

• Assignment of authority

• Competence and integrity of personnel

• Accountability for compliance

• Objectivity and effectiveness of internal audit function


Other FCPA Considerations

Certain factors make a business more

vulnerable to FCPA regulatory actions.

High-risk industries: pharmaceuticals, mining,

telecommunications, energy, infrastructure

High-risk locations: country’s Corruption

Perception Index (CPI)

High-risk activities: gift-giving, which is allowed

modestly in some situations


FCPA Guidance

SEC and DOJ Guidance on FCPA compliance:

Anti-corruption policy from the top

Policies and procedures

Oversight, autonomy, and resources

Risk assessment

Training and continuing advice


FCPA Guidance

SEC and DOJ Guidance on FCPA compliance:

Incentives and disciplinary measures

Third-party due diligence

Confidential reporting and internal investigation

Periodic testing and review of program


2014 Corruption Perception Index


Sarbanes-Oxley Act (SOX)

Legislative response to

accounting scandals

(WorldCom, Enron)

Sweeping legislation,

affecting many industries

Fraud-related rules on

corporate governance,

reporting, and accounting


SOX—Audit Committee Provisions

Audit committee’s fraud prevention duties

• Outside audits

• Internal reporting mechanisms

• Establishing procedures for receiving anonymous

complaints

Under Section 204, outside auditors must report

to the audit committee

• Critical accounting policies and practices used

• Report GAAP alternatives and the auditor’s

suggestions


SOX—Audit Committee Provisions

Composition of the audit committee

• Every member must be on the board of directors.

• Public companies must report whether or not at least

one audit committee member is a financial expert,

and, if not, explain why.

Committee must have sufficient authority and

resources to carry out duties.


SOX—Management’s Responsibility

for Internal Controls

Section 404—Annual internal control report

• States management’s responsibility for controls

• Contains assessment of internal controls over

financial reporting (ICOFR)

• This requirement no longer applies to companies with

market capitalization below $75 million.


SOX—Code of Ethics for Management

Effective compliance program requires an

ethical tone at the top.

Under SOX, companies must have a code of

ethics for senior financial officers.

• Public companies must disclose whether they have

adopted such a code of ethics.

• They must make an immediate disclosure if there is a

change in the code or waiver for a financial officer.


SOX—Certification Requirements

Publicly traded companies file annual and

quarterly reports with the SEC.

CEOs and CFOs must personally approve

(certify) these reports.

Two categories of certifications

• Section 906 (criminal certifications)

• Section 302 (civil certifications)


SOX—Criminal Certification

All periodic filings with the SEC must be

accompanied by CEO/CFO certification.

• States that the report fairly presents, in all material

respects, the financial condition of the company

• Accurately states the results of the company’s

operations

Violations of Section 902 may result in criminal

penalties of up to $1 million and up to 10 years

imprisonment.


SOX—Civil Certification

CEOs and CFOs must certify that:

1. They have personally reviewed the report.

2. To their knowledge, the report contains no material

misstatements.

3. The report presents, in all material respects, the

company’s financial condition, results of operation,

and cash flow.


SOX—Civil Certification

CEOs and CFOs must certify that:

4. They have designed and evaluated the effectiveness

of controls.

5. They have disclosed weaknesses of controls to

auditors.

6. They have reported any significant changes in

internal controls.


SOX—Whistleblower Protection

Section 801—mechanisms for receiving

complaints about accounting/auditing methods

Section 806—civil liability for retaliation against

fraud whistleblowers

Section 1107—criminal liability for retaliation

against whistleblower of federal offense (covers

all individuals, not just publicly traded

companies)


Public Company Accounting

Oversight Board (PCAOB)

PCAOB was created

under SOX to oversee

auditors of public

companies.

PCAOB rules provide

further regulations and

guidance for auditors

(rules subject to

approval by the SEC).


PCAOB Auditing Rules

Auditing Standard No. 5 governs audits of

ICOFR.

It requires specific evaluations of controls:

• Over significant, unusual transactions

• Over journal entries and adjustments made during

the end of the reporting process

• Over related-party transactions

• Related to significant management estimates

• That mitigate motivations for management to engage

in fraud


Dodd-Frank Wall Street Reform and

Consumer Protection Act

Passed in response to the economic crisis

beginning in 2007

Major reform for financial services industry

Many of its provisions remain untested, making

updates to compliance programs essential.


Dodd-Frank—Whistleblower Provisions

In addition to SOX whistleblower protections,

Dodd-Frank offers whistleblower incentives.

Whistleblowers are entitled to a portion of a

successful recovery against violators.

• Includes violations of the Exchange Act and the

FCPA

• Must be original information

• Penalty must be at least $1 million

• 10–30 percent of the recovery (based on helpfulness)


Dodd-Frank—Whistleblower Provisions

Internal reporting

• Many whistleblower laws require internal reporting.

• Dodd-Frank allows whistleblowers to go straight to

the SEC with information, bypassing the employer.

• However, the whistleblower may report the fraud to

the SEC within 120 days of reporting to employer and

still be entitled to the reward.


Dodd-Frank—Lending Provisions

Lenders must take steps to ensure borrower’s

ability to repay before issuing a loan.

If the failure of a nonbank entity would risk

national financial stability, it will be regulated by

the Federal Reserve.

It allows consumers free access to their credit

scores if it is used to negatively affect them in a

financial transaction or hiring decision.


Discussion Questions

Suppose that a company contacts you,

requesting that you assist it in designing a

compliance policy. All you know so far is that

the company is a large multinational operation

with its headquarters in the United States.


Discussion Question #1

Regarding Foreign Corrupt Practices Act

compliance:

• What kind of questions do you need to ask to begin

designing the policy?

• What content do you need to include in the policy?

• What will the company need to do to remain in

compliance once the policy is created?

• Do you have any ideas as to how the company can

enforce the policy?



Regarding Sarbanes-Oxley Act compliance:

• List a few preliminary questions you need to ask to

help design the policy.

• What are some procedures that need to be included

in the policy?

• After implementing the procedures you came up with,

what does the company need to do to remain in

compliance once the policies are created?

• How should the company enforce these policies?



What would you recommend the company do to

encourage employees to report matters

internally before reporting to government

investigators first?

fraud-related compliance...© 2015 association of certified fraud examiners, inc. fraud-related...

Documents