Skip to main content
Oct 13, 2012

Compliance challenges for 2013

Communications between auditors and audit committees under scrutiny.

Whether due to new legislation being enacted or the ongoing maintenance fending off known risks within their industries, corporations must always be aware of the compliance challenges they face year to year. Next year should be particularly challenging as there appears to be a coordinated effort globally to combat the rash of financial fraud, corruption and money laundering that is hurting the economic systems of many countries. That means that dealing with stepped-up enforcement of established regulations like the Foreign Corrupt Practices Act (FCPA) and tackling evolving legislation like the SEC’s conflict minerals rules will be a top priority. Here is a look at some of the major areas of compliance that companies will need to focus on in 2013.
 
FCPA and UK Bribery Act enforcement

In 2013, worldwide concerns about bribery and corruption will force companies to reassess their policies and procedures to stop fraud, or suffer the consequences. ‘For all multinationals doing business, there are three areas they really need to be concerned with,’ notes Keith Darcy, executive director of the Ethics and Compliance Officer Association. ‘The supply chain, where there can be issues of procurement corruption; the distribution system and the sales force, where people can be pressured to produce top-line revenue, earnings and bonuses out of self-interest; and agents and third parties, because multinationals often have to engage these to do business in remote countries where they do not necessarily have resident expertise.’

To combat risks, Darcy says that ‘businesses have to pay significant attention to making sure that they fortify their internal controls to a very significant degree, that they train and educate their employees to a very significant degree about these risks, and that they openly and actively talk about these risks.’ By taking these measures, companies will be able to take appropriate action any moment there is a hint or rumor of any impropriety.

Demonstrating that the company had a capable system in place to counteract bribery and fraud certainly helped Morgan Stanley avoid a major FCPA fine earlier this year. The US Department of Justice (DoJ) declined to fine the company after former managing director Garth Peterson plead guilty to bribing a Chinese government official to steer business to Morgan Stanley, primarily because Peterson admitted to deliberately trying to evade systems in place to prevent bribery. After an examination of the facts and circumstances, it was determined that ‘Morgan Stanley constructed and maintained a system of internal controls which provided reasonable assurances that its employees were not bribing government officials.’

Erica Salmon Byrne, executive vice president of compliance and governance solutions at Corpedia, a NYSE/Euronext company, says there were three main issues the DoJ gave Morgan Stanley credit for that helped it to avoid the fine:

The quality of the firm’s policies. ‘Morgan Stanley had a policy in place on anti-corruption that was well written and was translated into all the applicable languages so all employees could read it,’ says Salmon Byrne. This was a critical consideration because Morgan Stanly operates in 47 countries, so presenting the policy in a only few languages would not have been adequate. The DoJ also felt Morgan Stanley’s policy was one of the more thorough that it had encountered.

The quality of the training. It was shown that Peterson had been trained 11 times on anti-corruption compliance, ‘so there really was no question that he knew better, and Morgan Stanley had the records to show that,’ Salmon Byrne explains. ‘So, part of a good compliance program is tracking things like how often somebody got trained.’

The quality of the communications. Morgan Stanley did not just rely on periodic training related to anti-corruption to set the tone at the company, it also regularly communicated to employees about the importance of anti-corruption compliance. ‘The company tied anti-corruption to things like holiday gift-giving times in various locations and sent out regular reminders using different formats,’ Salmon Byrne says. She advises that companies consider these three points when looking at how to improve compliance programs going forward.

Multinational corporations must also be aware of the UK Bribery Act, which goes a bit further than the FCPA in dealing with bribery.

Any company that does business in any jurisdiction of the UK is subject to penalties under the UK Bribery Act, whether the bribe took place in that jurisdiction or not. ‘So you could have a bribe take place outside the UK, but if the company does business anywhere in the UK it could still be subject to the bill,’ says Darcy.

He also notes that the UK Bribery Act not only pertains to bribery of public officials, like the FCPA, but also includes commercial bribery. ‘So I think in the next five-plus years, the UK Bribery Act will begin to take on a life equal to if not beyond the Foreign Corrupt Practices Act,’ he concludes.
 
Whistleblower rules

With the focus on bribery and corruption being so high, regulators will also be looking to see that companies are making it easier for employees to report corruption as mandated by Dodd-Frank legislation.

‘We haven’t seen the full impact of the Dodd-Frank whistleblower laws, but one thing is for sure: boards and governance professionals must be prepared to manage oversight of whistleblower claims that are escalated to the board – and have protocols in place, other than a hotline, to ensure that the right claims are escalated to the board,’ says Roy Snell, CEO of the Society of Corporate Compliance and Ethics.

Snell says corporations need to construct a policy that clearly explains how whistleblower claims will be moved in front of the board for action, and ensure that the system can work. He recommends companies have ‘a senior-level, empowered chief compliance officer in place with adequate resources to operate independently and powerfully’ outside of the legal department to enforce the policy. He also says the corporate secretary should review the policy with the board to ensure that all members approve and that everyone is aware of the process.

Darcy also warns organizations to have some way to communicate effectively with those employees who actually come forward with information, so that those employees can feel as if the process is moving toward a resolution. Companies will want to handle these things internally first, then go to regulators after a resolution has been found so that they can show their compliance measure work. However, if they don’t respond to whistleblowers in a reasonable time frame or if they don’t provide a satisfactory response to the issue, problems could develop.

‘Somebody has to let the whistleblower know that the company is looking into the issue that this person has had the courage to step forward and blow the whistle on, because if they don’t, that’s when the person is going to go outside the organization,’ Darcy says.
 
PCAOB standards for audit committee communications

The Public Company Accounting Oversight Board (PCAOB) has shown concern about the relationship between auditors and corporate audit committees, particularly as it relates to keeping the lines of communications open so auditors can come to the audit committee with concerns as they work through the financial statements. The regulator is implementing a new set of standards for auditor/audit committee communications that goes into effect on December 15, 2012. After that date, the PCAOB ‘will be watching to make sure that the communications involve the things that it wants them to involve,’ says Jim Hamilton, federal securities analyst at Wolters Kluwer.

Hamilton says the PCAOB wants to ensure certain information is communicated between the auditor and the audit committee immediately. There are three main issues:

·   Any unusual transactions or significant transactions. If the auditors find, for example, a business transaction that lacks economic substance, they would have to tell the audit committee about it and explain the business rationale for the transaction.

·   The company remains a going concern. Auditors would have to make sure that the company is a going concern and alert the committee if the risk of it not remaining so increased.

·   The outsourcing of audit responsibilities. If an outside auditor like PwC decides other firms should perform some of the audit tasks, it would have to inform the audit committee.
Hamilton says this new standard is intended ‘to make sure these communications are timely and effective for the oversight of the audit’. The new rules have not yet been approved, but Hamilton believes the SEC will almost certainly approve them before the effective date in December. After that, companies must have a mechanism in place to ensure that communication takes place.

Conflict minerals

Another piece of Dodd-Frank legislation that will take effect next year will require companies to track their use of certain minerals coming from the Democratic Republic of the Congo and other mineral-rich countries that are prone to conflict. Companies would have to publicly disclose the origin of minerals such as tantalum, tin, tungsten and gold that are regularly used in the production of their products.

‘This really plays into something that we saw a lot of companies talking about in 2012, and that is managing your supply chain – how you know who your suppliers are, and how you address issues associated with suppliers,’ says Salmon Byrne. The rule means that companies will have to extend their liability in terms of the use of conflict minerals to their suppliers and find ways to track their suppliers’ use of such minerals. The electronics industry is paying pretty close attention to this because a lot of the minerals it needs to build cell phones and computer components can come from conflict-prone locations; some companies in other industries, however, may also find that they have suppliers that handle these types of materials (maybe for another vendor), and their liability could come as a surprise. ‘You are responsible for figuring out whether or not your suppliers are trafficking in conflict minerals,’ Salmon Byrne explains.
 
Rules for social media

As the use of social media evolves, there will be a need to set rules to make sure corruption and other abuses do not flourish in this sphere. These are likely to develop gradually over time. ‘Corporate secretaries and governance professionals need to find solutions and adopt a balanced approach in their communications with regulators, NGOs, management and investors in the open environment of the internet,’ says Snell. ‘Increasing regulations and demands for more transparency are going to push governance professionals to be more proactive and reactive – and they’ll have to stay on top of evolving best practices.’

The internet raises major problems for companies because many are just now creating internet policies for their workers to follow and setting up systems to ensure that workers comply. The National Labor Relations Board recently placed some strict limits on what companies are allowed to do under both the First Amendment and the National Labor Relations Act when it comes to employees’ use of social media when at work. These rules deal with what companies are or are not allowed to do when they want to restrict their employees’ ability to use social media on company computers. There has been an uptick in instances where people have alleged that Facebook friends are retaliating against them for work-related issues via social media and have filed claims against the company. Developments like this have the potential to impact on every company.

‘Companies have to be really careful about how they address social media issues within their social media policies and within their codes, and about what they tell employees they can’t do online when they are at work,’ says Salmon Byrne. ‘That’s an issue that is going to continue into the New Year.’

Improving compliance at your organization

Experts suggest that there are a number of things companies can do to stay ahead of today’s more stringent compliance environment. Roy Snell, CEO of the Society of Corporate Compliance and Ethics, says that due to the higher number of board failures this year, the corporate secretary must pay closer attention to the types of training and engagement the board receives when it comes to compliance and ethics. He suggests that corporate secretaries should move away from what he calls ‘typical helicopter-level’ training and concentrate more on ‘ what they really need to know about their roles, the company compliance program, and risk and mitigation programs – and they should practice their role by having transparent discussions involving different compliance scenarios.’

This type of training will become extremely important in dealing with the heightened expectations of regulatory and stakeholder demands on boards dealing with compliance and ethics.

Erica Salmon Byrne, executive vice president of compliance and governance solutions at Corpedia, reminds companies that they need to do an annual ‘look back and review’ of their current compliance systems to see if they are effective, and to make changes where appropriate.

‘Your program needs to be dynamic – it needs to grow and change with your peer organizations’ programs as well as your company’s profile as you grow,’ she says.

‘Pick your head up, look around and figure out whether or not there is anything that your peer companies are doing that you’re not currently doing,’ Salmon Byrne continues. ‘There are a lot of different ways to do that – there are peer roundtables, membership organizations, and vendors like Corpedia offering services that fulfill that requirement. There is a lot of benchmarking data out there, and companies really need to be taking advantage of it.’