When it comes to compliance- just do it!
Recently, I read that the Securities and Exchange Commission sanctioned numerous firms for violating auditor independence rules when they prepared the financial statements of brokerage firms that were their audit clients. Specifically, the agency found that during audits, the firms relied on data from financial statements and notes that the audit firms themselves had prepared for the clients. Obviously they couldn’t do it because they were in effect auditing their own work. In another example, I recenlty read that a former paralegal of a well known pharmaceutical company, claims she was fired in retaliation for revealing a huge scheme involving kickbacks to doctors in violation of US Law. So why then, in these examples, years after the implementation of SOX and the FCPA ( which forbids these actions) did such a number of firms violate SOX and probably their own internal rules? If the former paralegal ‘s allegations are true, why didnt the pharmaceutical company have a FCPA process in place to pick up the kickbacks? The answer is simple: the companies in question failed to implement a proper compliance program that adequately addresses their major processes and procedures .
Though SOX was implemented in 2002 and the DOJ mandated compliance programs by 2004, many companies have yet to implement robust leading edge state of the art compliance programs. Some don’t want to spend the money involved in setting up the program and others have communication issues between the BOD and upper management. Some have even failed to get management buy-in to the necessity of a robust all-encompassing compliance program. Even some still refuse to put FCPA processes in place thinking that since they are not a US company the FCPA doesnt apply, which is of course wrong.
In house counsel, risk managers and yes, compliance officers all must focus on the proper implementation of compliance programs in their respective organizations. All must realize there is no excuse for failing to enact such a program as soon as possible nor improving a program if one already exists. In the words of a famous footwear company- just do it!
The Seven Elements
As we near the end of the year, not only in house counsel but managers in general must concentrate on next year’s compliance plans and satisfy the DOJs seven element test to ensure that the compliance program is in fact legitimate:
- Compliance standards and procedures must exist
- There must be oversight by high-level personnel
- There must be due care when delegating authority
- There must be effective communication of standards and procedures
- An auditing/monitoring/reporting system or systems must be in place
- Compliance must be promoted and enforced consistently throughout the organization
- There must be an appropriate response after a violation has been detected
So what is needed?
- A code of conduct
- For subsidiaries, local codes of conduct too
- Training- Regional and local training on all aspects of the company’s processes, and covering such areas as Antitrust, SOX, FCPA, Sexual Harassment, etc.
- A robust and anonymous reporting system
- Buy-in from upper management
Training is of course one of the most important aspects of a compliance program. Local training can be given by HR, Legal, Risk Management, Compliance, etc. The goal of any compliance program should be to equip employees to handle compliance issues, to identify potential wrongdoing and to understand their role in the overall compliance scheme. They should know what to report and how to report compliance violations.
Remember, a company needs to implement a compliance program for a number of reasons.
The Right Reasons
- For preventing problems
- For detecting problems
- For responding and remedying compliance issues
- For creating a culture of compliance
- For enhancing the company’s brand
What most companies miss however is that the key to implementation is senior management buy-in. Is management committed to compliance or does it keep a blind eye to internal problems?
Compliance- A Must
In todays’ business world, companies must build compliance into all business processes or suffer the consequences. In fact, in the US, directors have a fiduciary obligation to implement a sound compliance system. So when it comes to compliance- managers can’t question the necessity of a compliance program. In house lawyers or Upper Management can’t balk at implementing a compliance program. The CFO cant claim costs dont justify a compliance program. It is time for action. When it comes to compliance- just do it!