In February 2017, the U.S. Department of Justice (DOJ) released the document Evaluation of Corporate Compliance Programs on its Fraud Section website. The document is an 11-part list of questions that encapsulates the DOJ’s current thinking on what constitutes a best practices compliance program.
Within the list are some 46 different questions that a Chief Compliance Officer (CCO) or compliance practitioner can use to benchmark a compliance program. In short, it is an incredibly valuable and useful resource for every Foreign Corrupt Practices Act (FCPA) compliance practitioner.
The evaluation requires that global payroll not only form a part of any best practices compliance program but when it comes to specific subject matter expertise, global payroll be on the front lines of any attempts to prevent, detect, and then remediate FCPA compliance violations.
Emphasis on Operationalization of Compliance
The evaluation, most generally, follows the DOJ and Securities and Exchange Commission’s (SEC) seminal “Ten Hallmarks of an Effective Compliance Program,” released in the 2012 FCPA Guidance. If there is one overriding theme in the evaluation, it is the DOJ’s emphasis on operationalization of compliance, as the questions posed are designed to test how far down your compliance program is incorporated into the fabric of your organization.
The evaluation is not simply a restatement of the Ten Hallmarks. It clearly incorporates the DOJ’s evolution in what constitutes a best practices compliance program, and it certainly builds upon the information put forward in the DOJ’s 2016 FCPA Pilot Program regarding effective compliance programs, most particularly found in prong 3, regarding remediation. It is likely that former DOJ Compliance Counsel Hui Chen not only helped the DOJ to understand what constitutes an effective compliance program but also provided solid information to the greater compliance community on this score.
It is through this list of questions that the DOJ will consider if a company has an effective anti-corruption compliance program. This inquiry is critical because if the DOJ makes such a determination, a company may fully escape all liability, even if it has sustained an FCPA violation. At the very least, it may lead to the company receiving a significant discount if a fine or penalty is warranted.
The evaluation states that it provides “common questions that we [the DOJ] may ask in making an individualized determination. This document provides some important topics and sample questions that the Fraud Section has frequently found relevant in evaluating a corporate compliance program. The topics and questions below form neither a checklist nor a formula. In any particular case, the topics and questions set forth below may not all be relevant, and others may be more salient given the particular facts at issue.”
Global Payroll Compliance in Action
The global payroll specialist has a significant role in the operationalization of a corporate compliance program, as found in section 4b of the evaluation (Operational Integration). Here it includes who is responsible for integrating your policies and procedures throughout an organization, what internal controls are in place, specific inquiries into the role of the company’s payment system in any FCPA violation, and how oversight is dedicated in your organization. The questions posed are:
- How was the misconduct in question funded (e.g., purchase orders, employee reimbursements, discounts, petty cash)?
- What processes could have prevented or detected improper access to these funds? Have those processes been improved?
This is immediately followed by an equally important set of questions:
- How have those with approval authority or certification responsibilities in the processes relevant to the misconduct known what to look for, and when and how to escalate concerns?
- What steps have been taken to remedy any failures identified in this process?
Finally, the proceeding questions surround payment systems:
- What controls failed or were absent that would have detected or prevented the misconduct?
- Are they there now?
Taken together, these three groups of questions may not seem particularly new, innovative, or even something different from what global payroll currently does for an organization. However, the evaluation, with its emphasis on the operationalization of a corporate compliance program clearly demonstrates the role of global payroll in compliance.
The FCPA prohibits “anything of value” to be provided to foreign government officials or employees of state-owned enterprises in order to obtain or retain business. This “anything of value” is almost always money—and that money must come from somewhere inside the company.
While the U.S. political scandal’s Watergate intonation to “follow the money” certainly continues to be valid in any FCPA issue, the evaluation speaks in much more depth around global payroll’s responsibility in a corporate compliance program. There must be demonstrable controls in place that not only detect fraudulent payments but would work to prevent any such payments as well.
Global Payroll Tasked to Prevent Fraudulent Activities
Yet when the three inquiries are read together, they paint a broader picture than one of simply tasking global payroll with the responsibility to prevent fraudulent leakage of money that could be used to fund bribes. The questions around the approval/certification process should be a standard part of any payroll system.
This has the effect of operationalizing the responsibility up and down the management chain from the individual employee, up through their manager(s), and eventually to the highest level of management involved in the process. This level of operationalization is designed to not only put a set of brakes in place but also work to put a second set of eyes on the entire payroll process.
The Remediation Prong—Root Cause Analysis
Finally, the questions proceeding the Payment Systems questions speak to the remediation prong of any best practices compliance program. If there was a global payroll control failure, which led to or even allowed an FCPA compliance violation, what was done to fix the control issue? Here, global payroll should work to perform a root cause analysis of what led to the control failure and then enhance or upgrade the control to provide a solution going forward. Of course, there should be a fully documented audit trail for this work to provide to the government should they ever inquire or even to your own corporate auditors.
The DOJ has now provided its clearest statement on how it expects a company to actually do compliance going forward. Long gone are the days where the DOJ simply considered the inputs of a written program as sufficient to protect companies from FCPA violations. Yet, the mandate to operationalize a corporate compliance program drives home the concept that compliance is a business process that should be best administered by the appropriate business unit with the requisite subject matter expertise. When it comes to following the money, global payroll is the most well-suited corporate discipline to provide this first level of oversight and controls.
Tom Fox is the Compliance Evangelist™. He has practiced law in Houston for 34 years. He was most recently General Counsel at Drilling Controls, Inc., a worldwide oilfield manufacturing and service company. He is now one of the country’s leading experts on the Foreign Corrupt Practices Act (FCPA), risk management, and compliance generally. Fox is the author of several international best-selling books and leads social media discussions on his “The FCPA Compliance and Ethics Blog” as well as five podcasts.