Global Corruption Law Compliance Report Insights from the middle market

Global Corruption Law Compliance Report

Insights from the middle market

Power comes from being understood.

When you trust the advice you’re getting, you know your next move is the right move. That’s what you can expect from McGladrey.

That’s the power of being understood.

800.274.3978

www.mcgladrey.com

The Institute of Internal Auditors (IIA) is an international professional association of more than 170,000 members. The IIA is recognized as the internal audit profession’s leader in certification, education, research, and technical guidance throughout the world.

The IIARF publishes this document for informational and educational purposes and is not a substitute for legal or accounting advice. The IIARF does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained.

The Institute of Internal Auditors’ (IIA’s) International Professional Practices Framework (IPPF) comprises the full range of existing and developing practice guidance for the profession. The IPPF provides guidance to internal auditors globally and paves the way to world-class internal auditing.

The IIA and The IIARF work in partnership with researchers from around the globe who conduct valuable studies on critical issues affecting today’s business world. Much of the content presented in their final reports is a result of IIARF-funded research and prepared as a service to The IIARF and the internal audit profession. Expressed opinions, interpretations, or points of view represent a consensus of the researchers and do not necessarily reflect or represent the official position or policies of The IIA or The IIARF.

This publication contains general information only and McGladrey LLP is not rendering accounting, business, financial, investment, legal, tax or other professional advice or services through the information contained within. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. McGladrey LLP, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this publication.

McGladrey LLP is the U.S. member of the RSM International (“RSMI”) network of independent accounting, tax and consulting firms. The member firms of RSMI collaborate to provide services to global clients, but are separate and distinct legal entities which cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party.

McGladrey, the McGladrey signature, The McGladrey Classic logo, The power of being understood, Power comes from being understood and Experience the power of being understood are trademarks of McGladrey LLP.

Copyright ©2013 by McGladrey LLP and The IIA Research Foundation.

I. Introduction 2

II. A Closer Look at the FCPA 5

II. Enforcement Background and Recent Actions 6

IV. Key Themes 8

V. Tips on Effective Compliance and 18 Monitoring Programs

VI. Conclusion 22

VII. Participant Profile 24

Table of contents

Today’s business leaders operate in a fast-paced and highly interconnected world. With the benefits of enhanced technology, small and middle-market companies are investing, producing, procuring, distributing and selling products or services across the globe more than ever before.

This wide-ranging expansion of global business operations comes with a higher level of bribery and corruption risks. Many middle-market companies, in particular, face exposure to these risks through their third-party business relationships, including arrangements with multinational vendors, service providers, distributors, sales and customs agents, freight forwarders and other intermediaries.

For these reasons, it’s imperative that companies of all sizes become vigilant about compliance with global laws and regulations that prohibit bribery and corrupt business activities, notably the U.S. Foreign Corrupt Practices Act of 1977 (FCPA) and the United Kingdom’s Bribery Act of 2010 (U.K. Bribery Act). In recent years, these laws have become central pillars of a tougher global regulatory environment–one in which business leaders must now pay closer attention to potential bribery and corruption threats to their operations, while assessing the effectiveness of governance, oversight and compliance measures intended to mitigate such risks.

The costs of ignoring bribery and corruption can be surprisingly high. Such costs could include the tangible funds used to pay bribes, potential fines and the cost of investigations, as well as the intangible costs, like reputational harm, debarment and loss of business partners.

With these potential risks in mind, McGladrey, in partnership with The Institute of Internal Auditors Research Foundation (IIARF), sought feedback from 120 C-suite leaders at middle-market companies across the globe. The goal of this Global Corruption Law Compliance Survey was to gain a better understanding of how these leaders perceive their businesses are tackling bribery and corruption risks. We asked participants about steps their companies have already taken to address threats, and what challenges they currently face in defending their businesses against acts of bribery or corruption. Survey participants came from a wide range of industries, with a little more than one-third of respondents coming from companies based outside the United States. See Section VII of this report for a profile of our survey respondents.

I. Introduction

In general terms, our survey indicates that middle- market companies with foreign business relationships are aware of global bribery and corruption risks.

However, many leaders expressed specific concerns about the level of preparedness and compliance at their organizations. We asked participants a series of in-depth questions, and performed detailed statistical analyses on the results. The following six key themes emerged from the executives’ responses (and will be reviewed in full detail later in this report):

1. Surveyed middle-market companies, particularly smaller ones, say they have more work to do to effectively respond to global corruption risks.

2. Executives say the level of monitoring and self- policing activity taking place today is higher than three years ago.

3. Executives rank non-financial obstacles above financial ones as a challenge in addressing global corruption risks.

4. Third-party due diligence and monitoring and M&A activity continue to be major sources of global corruption risk.

5. Regular training remains an area of opportunity for companies seeking to improve their corruption law compliance.

6. New whistleblower provisions in the Dodd-Frank Act increase the stakes and regulatory risks for FCPA compliance.

As you review the full findings of our survey, we hope it serves as a useful information resource that can help your company better understand, recognize and protect itself from global bribery and corruption crimes.

We would like to take this opportunity to thank the participants and business executives for their responses, including those who provided personal interviews. We are particularly grateful for the assistance of Dr. Larry Rittenberg, Professor Emeritus at the University of Wisconsin–Madison and former chair of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), for his support and contributions to this survey and report.

The Foreign Corrupt Practices Act was first passed in 1977, after a Securities and Exchange Commission (SEC) investigation revealed that over 400 U.S. companies had used slush funds to make illegal domestic

campaign contributions and to bribe foreign officials in exchange for favorable business deals. The FCPA, which was strengthened through major amendments in 1988 and 1998, contains two main provisions:

Anti-bribery: This provision is designed to prevent domestic individuals and companies–along with certain foreign nationals and entities–from using bribes of foreign officials to secure or retain business.

The law does not cover commercial bribery or the receipt of bribes; these are separate legal areas, which are covered by other laws and regulations. Generally speaking, the FCPA prohibits company officers, directors, employees or agents acting on behalf of the company from “offering to pay, paying, promising to pay or authorizing the payment of money or anything of value to a foreign official to influence any act or decision of the foreign official in his or her official capacity, or to secure any improper advantage in order to obtain or retain business.”¹ In short, the FCPA makes it illegal to “pay to play” with foreign officials involved with international trade.

Accounting: All public companies listed on a stock market exchange or traded over the counter in the United States (including foreign companies listing American Depository Receipts securities) must comply with the FCPA’s accounting provisions. These provisions feature two basic components. First, subject companies are required to make and keep financial records that accurately reflect all corporate transactions. For example, the FCPA specifically prohibits falsification of financial records in order to conceal a bribe. Second, these businesses must design and maintain adequate internal accounting control systems that demonstrate management’s authority and accountability over the company’s assets.

II. A Closer Look at the FCPA

Over the past decade, the level of FCPA-related enforcement activity has steadily increased, with the highest number of publicly announced settlements occurring in 2010 and 2011. Supporting these efforts, the SEC Enforcement Division established a specialized FCPA unit in 2010. The following year, implementation of new whistleblower provisions, as part of the Dodd- Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank), further bolstered the government’s ability to pursue and prosecute bribery and corruption crimes (along with numerous other financial crimes).

To help business leaders understand the complex issues around global corruption, the United States Department of Justice (DOJ) and SEC recently published A Resource Guide to the U.S. Foreign Corrupt Practices Act, released in November 2012.² This guide provides historical context on corruption law and activity, details the specific provisions of the FCPA (anti- bribery and accounting provisions), illustrates guiding principles of enforcement, explains potential civil and criminal penalties for violating the law and outlines paths toward case resolution. The resource guide also provides recommendations on third-party and M&A due diligence, and outlines the agencies’ view on the hallmarks of effective FCPA compliance. We address these specific points for sound FCPA compliance in greater detail in Section V of this report. These recommendations provide a useful starting point to help companies reduce their risk of FCPA violations.

In the guide, the DOJ and SEC note that their primary focus is to combat actual, widespread patterns of bribery. More specifically, enforcement leaders will most aggressively pursue companies that attempt to develop business by using illegal payment schemes (excluding nominal value items). Ironically, these distinctions were underscored by the DOJ’s recent failure to secure any guilty verdicts against defendants in a multiyear “Africa sting” investigation.

The case involved 22 individuals, all but one of whom

were arrested by undercover FBI agents at a Las Vegas military equipment conference. The case was eventually dismissed because the alleged bribery occurred between the individuals and FBI agents posing as foreign officials, not during the course of ordinary business.

The failed sting operation may have helped recalibrate the DOJ’s and SEC’s focus, since other recent cases demonstrate stronger alignment with stated enforcement goals. For example, in a case involving Morgan Stanley, the DOJ declined to prosecute the financial services company for FCPA violations because the firm demonstrated its conduct was an isolated event involving a local official in China. The company took action to terminate the executive who made the illicit payments, and the firm self-reported to the SEC upon discovery. Ultimately, the DOJ and SEC both decided to prosecute only the individual executive–

not the company. In its release, the DOJ cited Morgan Stanley’s internal controls, stating that they “provided reasonable assurance that its employees were not bribing company officials.”

The Morgan Stanley case demonstrates the DOJ’s consideration for companies that self-report violations, conduct proper remedial actions and demonstrate reasonable internal controls. This enforcement pattern was followed in another recent case involving drugmaker Pfizer, in which an internal review

uncovered improper payments by subsidiary Pfizer HCP to regulatory officials in eight foreign countries. Upon discovering the issue, the company voluntarily self- reported details to both the DOJ and SEC. After a full investigation, Pfizer agreed to repay all illicit net profits (plus interest) and a $15 million fine, while also entering into a two-year deferred prosecution agreement (DPA).

Note that this enhanced compliance approach, which defers prosecution in favor of reasonable intent, mirrors guidance found in the FCPA resource guide.

III. Enforcement Background and Recent Actions

In a similar case, Houston-based Pride International received a three-year DPA in 2010 for bribing foreign officials in Venezuela, India and Mexico. However, the government moved to terminate this DPA in early 2012, because the company had demonstrated

“respect for the law and adequate deterrence against international corruption.” All criminal charges were subsequently dismissed.

In both of these cases, the DPA helped the companies avoid an independent compliance monitor, further investigation and the prospect of a public trial–all of which can be cumbersome, costly and embarrassing.

Additionally, when a company successfully completes the terms of a DPA, the DOJ will strike all charges from public record.

While big corporate players caught up in global corruption cases garner the most attention, it’s wise to note that smaller companies are not immune from FCPA enforcement. For example, during 2012, Orthofix International N.V., a firm with approximately

$500 million in annual revenue, settled FCPA claims with the DOJ and SEC relating to bribes made by an executive at a subsidiary in Mexico. The company was fined approximately $7.5 million and placed under a three-year DPA.

In a more recent case, Florida-based Harris Corporation self-reported to the DOJ and SEC in 2012 irregular entertainment, travel and other expenses made by Carefx China, which Harris had acquired a year earlier.

These potential FCPA infractions were uncovered during Harris’ post-acquisition audit of Carefx China and disclosed on the company’s 10-K report. The case investigation is still underway.

International initiatives

International initiatives to combat bribery and corruption have also intensified parallel to recent DOJ and SEC efforts. A key addition to the regulatory landscape is the U.K. Bribery Act, which was

implemented in July 2011. The Bribery Act is similar to the FCPA in that it provides a legal framework to combat bribery and corruption. The Bribery Act applies to U.K. nationals, U.K. bodies with a commercial element (regardless of where the ultimate profit recipient is located) and persons who ordinarily reside in the U.K. or in a U.K. territory.

The U.K. Bribery Act differs from the FCPA in a few key areas. First, it covers both public sector and commercial bribery. Second, it outlaws both the offering and receipt of a bribe. Finally, it explicitly provides a statutory defense against corporate liability if companies provide proof of adequate procedures meant to detect and prevent bribery (such as a demonstration of adequate internal controls). The U.K.

Ministry of Justice released guidance containing six principles of adequate procedures, which are similar to the DOJ’s and SEC’s guidance on hallmarks of effective compliance.³

Not many years ago, an active import and export business was largely limited to the world’s biggest companies. However, a combination of trade agreements, technology and cost imperatives have made globalization a reality for companies of all sizes, with much of the recent growth driven by middle- market companies.

In our survey, over 85 percent of executives⁴ report that their companies are already doing business with foreign partners–or anticipate doing so within the next two years. Thirty-seven percent of survey respondents with global business say their companies earn at least half of annual gross revenue from non-U.S. customers.

Interestingly, company size was not a particularly important differentiator in this area, as companies with over $1 billion and under $100 million in annual revenue generated roughly equivalent percentages of foreign income.

Because of this increasingly important flow of non-U.S. revenue, it’s vital for business leaders to ensure that compliance with global bribery and corruption laws is part of their company’s overall risk management strategy. It is important to note that

the potential for violating these laws is not limited to whether a company has actual foreign operations or joint ventures in non-U.S. markets. Increasingly, companies are facing exposure to global bribery and corruption risks through third-party business relationships in other nations, such as agents, suppliers, distributors or wholesale customers.

According to our survey, just over half of respondents (52 percent) report dealing with more than 100 foreign business partners on an annual basis. Not surprisingly, the largest companies report having the most non-U.S.

partnerships, with just over 53 percent of companies with $1 billion or more in annual revenue reporting 500 or more foreign business relationships. On the other hand, smaller companies note connections with a much tighter circle of non-U.S. players. In fact, just over three-quarters of respondents from companies with under $100 million in annual revenue say they deal with less than 100 foreign business contacts. Regardless of the total number of foreign business partners, companies of any size must comply with global bribery and corruption laws.

IV. Key Themes

Fewer than 5 5 to fewer than 25

3%

17%

9%

18%

11%

10%

31%

25 to fewer than 50 50 to fewer than 100 100 to fewer than 250 250 to fewer than 500 More than 500

On average, how many non-U.S. third parties does your organization conduct business with annually?

Approximately what percentage of your organization’s annual gross revenues is earned from non-U.S. customers?

Less than 10%

10% to less than 25%

25% to less

than 50% 75% to 100%

50% to less than 75%

25%

20%

17%

14%

22%

1. Surveyed middle-market companies, particularly smaller ones, say they have

more work to do to effectively respond to global corruption risks.

As noted earlier in this report, the DOJ and SEC will often temper any global corruption enforcement action against companies that demonstrate established compliance plans and take proactive steps to

investigate violations, while following through with appropriate remedial actions and voluntarily self- reporting to regulatory agencies. On the other hand, these agencies are quick to punish rule breakers with no demonstrable policies or vague “paper” compliance programs that do not spell out specific action steps to address global corruption.

Just under 72 percent of all survey respondents say their companies have stand-alone global corruption law compliance policies. Approximately 80 percent of surveyed companies with over $500 million in annual revenue report having stand-alone policies. That’s well above the 58 percent of surveyed businesses under that revenue threshold with anti-corruption plans.

However, a quarter of respondents at companies with established policies say their global corruption law compliance policies and programs lack clear principles, internal controls and supporting procedures–each being vital to an effective compliance program. This lack of specifics does not vary significantly when measured by company size (27 percent for companies with over $500 million in annual revenue vs. 21 percent for those under that mark).

Ideally, all businesses should have global corruption law compliance policies that are integrated with other key corporate guidelines, such as codes of conduct, governance structures and financial controls. Anti- corruption policies should be tested at least annually.

That’s because business operations are dynamic, with continually changing environmental, economic and political risks. Regular testing allows for “real time”

can help businesses identify the most cost-effective control tools. However, only 39 percent of surveyed companies with anti-corruption policies say they test them at least once a year. Forty-five percent of companies with established policies report effectiveness in testing no more than once every other year, and one in four survey respondents with global corruption compliance policies say their plans are never tested.

A key area of compliance is corruption risk assessments, which should be completed by company management (with the support of a qualified outside resource, if necessary) and updated on a regular basis. A hard- nosed internal review should be included in this risk assessment, as well as fact-finding related to third-party expenditures and contracts. In this area, our survey shows large companies holding a clear edge, with 71 percent conducting corruption risk assessments within the past three years, and over 48 percent doing so in the last 12 months. Conversely, just 42 percent of companies with annual revenue of under $500 million report risk assessment activity in the past three years. More alarmingly, 55 percent of those smaller

More than once

a year

Annually Every other year

Less than every other year

How often does your organization test the effectiveness of your global corruption law compliance policy?

Never 9%

30% 27%

6%

28%

23% of respondents noted they do not have a formal policy in place.

2. Executives say the level of monitoring and self-policing activity taking place today is higher than three years ago.

Despite the findings referenced earlier, most survey respondents believe their companies’ support for global corruption law compliance is better today than in previous years. For instance, 17 percent of survey respondents say their companies performed no global corruption law compliance monitoring activities three years ago. Today, that percentage has fallen to just under 11 percent.

The level of global corruption law compliance efforts among survey respondents is evident in their self- policing activities. As previously noted, the DOJ and SEC will often take remedial actions by companies into

account when determining FCPA enforcement actions.

Approximately 44 percent of leaders in our survey say their companies took at least one remedial action related to global corruption law compliance in the last two years. Respondents at larger companies report a higher number of incidents, with internal disciplinary procedures against an employee, including suspension or dismissal, as the most cited action. Among larger companies, 23 percent of companies in the $500 million to $1 billion revenue bracket–and a third of businesses over $1 billion in annual revenue–report at least one such incident in the last two years.

21%

33%

23%

5%

24%

33%

23%

13%

6%

9%

0%

5%

10%

11%

18%

5%

12%

18%

18%

3%

16%

22%

18%

8%

6%

9%

12%

0%

8%

13%

6%

3%

3%

2%

12%

0%

43%

27%

35% 67%

13%

13%

18%

11%

In the past two years, has your organization experienced one of the following events due to a global corruption related incident?

Total Surveyed

$1B+ Organizations

$500M - less than $1B Up to $500M Internal disciplinary

action against an employee (e.g., suspension)

Legal action by organization against (former) employee

Potential contract, deal or acquisition restructured

Potential contract, deal or acquisition cancelled

Existing contract with a third party restructured

Existing contract with a third party cancelled

I don’t know None of the above Investigation by a non-U.S. regulator

SEC or DOJ investigation Dismissal of

an employee

Our survey reveals that accountability for global corruption law compliance programs has sharply increased in the past three years, from approximately two-thirds of companies with a dedicated point person accountable for global corruption law compliance three years ago to 84 percent today. However, the data also shows that smaller companies are lagging behind. In fact, just 66 percent of companies with annual revenue of under $100 million have assigned a dedicated individual to be in charge of corruption law compliance. That number rises to 75 percent for businesses with annual revenue between $100 and

$500 million. This is not surprising, since executives at smaller companies often must play several roles.

Nonetheless, as companies grow, they should consider more formalized compliance functions. Even in situations where smaller companies cannot afford to have a single individual accountable for corruption law oversight, ensuring separation of duties between compliance, accounting and operations functions may be a feasible way to demonstrate commitment to a good ethical environment.

When assigning individual responsibility for

corruption law compliance, survey respondents most commonly identify general counsel (30 percent), chief audit executive or head of internal audit (21 percent) and the company’s chief compliance officer (17 percent). Survey respondents from companies with $500 million or more in annual revenue are more apt to assign primary responsibility to the office of general counsel (40 percent). Interestingly, executives from the largest companies (more than $1 billion in annual revenue) are more likely to assign corruption law compliance to executives outside the office of the general counsel than companies between $500 million

In terms of support staff, survey respondents say internal audit is the department most often assigned to perform global corruption law monitoring and compliance activities (58 percent). Next to internal audit, the general counsel’s office, compliance, accounting and senior management are areas most frequently named.

Interestingly, even among smaller companies, internal audit is most frequently associated with corruption law compliance responsibilities. On the other hand, just 19 percent of survey respondents identify senior management as having primary responsibility for corruption law compliance. This is an important finding, since tone at the top of any organization is critical.

Leaders have strong influence on the development of an ethical culture, in which all employees understand the company’s vision, values and standards. So, while global corruption law compliance is the responsibility of each individual, leaders do play an outsized role in

Please indicate the individual in your organization with primary responsibility for monitoring global corruption risks and corruption law compliance.

General counsel 30%

No dedicated individual

16%

CFO 3%

CAE or head of internal audit

21%

Global risk executive or chief risk officer

6%

CCO 17%

CEO 3%

Other 3%

I don’t know 1%

As mentioned previously, any successful global corruption law compliance effort requires visible support of senior leadership. However, it also needs a financial investment and real-world operational flexibility. Not surprisingly, those issues present hurdles that can be difficult for some companies to clear. In this survey, we asked respondents to rank the top three obstacles they face in addressing global corruption risks and compliance.

Interestingly, survey respondents say non-financial issues, such as hardships in managing cultural differences or diverse business norms across countries, often trump financial roadblocks as obstacles to compliance. In fact, only companies with under $100 million in annual revenue identify financial issues, such as accurate cost and benefit measurement of

compliance efforts, as the most significant barrier. This seems intuitive, since smaller companies tend to have more limited resources, and are typically further behind in establishing compliance structures.

Overall cultural differences lead the list of compliance roadblocks for companies of all sizes, followed by limited familiarity with global corruption laws and best practices and tone at the top. Leaders also express concerns about ensuring compliance involvement by business units and establishing a consistent tone at the top, or commitment by senior management.

Surprisingly, the effect of anti-corruption actions on profitability was not often cited as an obstacle to compliance. The chart below ranks obstacles to global corruption law compliance most often cited by survey participants.

Cultural differences/Diverse business norms across countries

Consistent tone at the top/

Commitment by senior management

98 pts

64 pts

63 pts

60 pts Limited familiarity with global

corruption laws and best practices Ability to accurately measure cost/

benefit of compliance efforts Ability to ensure involvement by business units

Respondent rankings of significant obstacles ordered by response frequency score

50 pts

Financial/Budgetary constraints

Access to comprehensive database of relevant laws and regulations

Other Pressure to maintain profitability Logistical constraints (e.g., communication)

Personal constraints

48 pts

48 pts

36 pts

29 pts

27 pts

7 pts

3. Executives rank non-financial obstacles above financial ones as a challenge in

addressing global corruption risks.

While survey respondents clearly believe progress is being made on corruption law compliance activity and accountability, they also acknowledge room for improvement. A majority of surveyed business leaders say their organization’s internal controls, with respect to global corruption law compliance, need to improve, particularly in the areas of oversight and monitoring procedures, as well as third-party due diligence.

Lapses in these vital risk management areas can create expensive consequences. For example, in December 2012, Indianapolis-based Eli Lilly and Company (Lilly) entered into a $29.4 million payment agreement with the SEC. This agreement settled charges that included a Lilly subsidiary paying millions of dollars in bribes to Russian government officials through “marketing”

or “service” agreements with third parties associated with those same officials. According to the SEC, the pharmaceutical company knew “little or nothing about the third parties beyond their offshore address and bank account information.” The alleged conduct took place over several years, and the company faced other allegations for activities in Poland, China and Brazil.

In our survey, 75 percent of all companies agree that their corruption law-related internal controls need some level of improvement. A closer look at the data sheds added light on where compliance upgrades are most urgently needed. For instance, approximately 43 percent of companies with less than

$100 million in annual revenue say internal controls for global corruption law compliance need “substantial improvement.” On the other hand, the highest

percentage of respondents saying controls need “some improvement” come from companies in the over $1 billion revenue bracket. In regard to specific internal control improvements, survey participants most

As a general rule, companies in our survey are aware of the need for global corruption law compliance, but those companies are not all devoting significant effort to achieving that goal. In fact, only 13 percent of respondents say their companies are making

“substantial” efforts toward global corruption law compliance. Businesses with less than $500 million in annual revenue most frequently report their effort level as “minimal,” with 22 percent of those firms identifying effort around global corruption law compliance as “nonexistent.”

What is your perception of the amount of effort your organization devotes to global corruption law compliance?

31%

Nonexistent

Minimal

Moderate

Substantial

I don’t know

9%

44%

13%

2%

Total surveyed

$1B+ organizations

$500M - less than $1B Up to $500M 2%

0% 22%

27%29%

38%

51%

30% 60%

12% 18%

8%

0%2%

3%

According to Compliance Week, nine in ten FCPA-related actions involve third parties, including those involved in merger or acquisition activity. Despite that widely understood threat, our survey results show only a small percentage of companies directly addressing that risk. In fact, only 30 percent of all survey respondents say their companies always conduct a risk review of existing business relationships and ties to agents in foreign countries. Middle-market companies in the

$500 million to $1 billion revenue bracket perform best in this area, with just over 41 percent of respondents saying they always perform such checks.

During the past few years, the middle market has largely fueled domestic and international M&A activity.

Companies need to consider bribery and corruption risks in their due diligence of potential M&A partners.

As a whole, respondents say their companies do a good job of evaluating outside representations within purchase and sale agreements, with slightly more than 38 percent saying they always take this step. Again, companies in the $500 million to $1 billion revenue range lead the way, with 53 percent of those companies always handling the task. That is considerably higher than the 27 percent of businesses with revenue over $1 billion who say they always perform such verifications.

I don’t know 13%

13%

17%

29%

19%

15%

Always 30%

38%

26%

12%

23%

19%

Sometimes 29%

36%

41%

31%

45%

29%

Never 28%

13%

17%

29%

13%

37%

Detailed risk review of existing business relationships and ties to agents in foreign countries Evaluation of representations within purchase and sale agreements Independent research on company, management and business climate in foreign markets (e.g., through reviewing periodicals and other industry sources)

Government inquiries into past or ongoing corruption law violations or investigations

Interviews of senior management Standardized questionnaires sent to company management

How often does your organization perform the following due diligence activities for third parties and M&A partners?

4. Third-party due diligence and monitoring and M&A activity continue to be

major sources of global corruption risk.

Our survey shows notable underperformance across the board in several due diligence activities that generally do not require significant effort. For instance, just over one in four businesses say they always conduct independent research on foreign market companies, management or business climates. This presents an area of opportunity, since such information on potential business partners or M&A targets is relatively easy to obtain. Similarly, 23 percent of respondents say they always conduct senior management interviews with prospective partners, and only 12 percent say they always check with local governments regarding any past or ongoing corruption law violations.

On an encouraging note, nearly 70 percent of survey respondents say they use standard contract templates in third-party and M&A transactions. In this area, companies with $1 billion or more in annual revenue were top performers (76 percent), while companies in the $100 to $500 million bracket lag well behind (56.3 percent). Nearly 74 percent of companies in our survey say they review and update their contract templates on a regular basis, with companies in the $500 billion to

$1 billion revenue range leading the way at nearly 82 percent.

While standard contract language is valuable as a risk management device, companies can take a couple of simple steps to further strengthen anti- corruption defenses. For example, it’s a good idea to insert corruption law compliance certifications as part of all third-party agreements, and ask business partners to recertify on a regular basis. In addition, businesses should seek audit rights and periodically test compliance, particularly with key business partners and other third parties judged to have high bribery or corruption risks.

Unquestionably, consistent training on a company’s global corruption law compliance policies and internal controls is critical to success. Typically, best-in-class programs tailor training sessions by job responsibility, delivering customized content built around specific issues various employee groups are most likely to face.

While annual corruption law compliance training is considered a best practice, most companies in our survey fall short of that mark. In fact, just 43 percent of respondents say their companies conduct training at least once each year.

Slightly more than one-third of all companies in our survey say they offer no compliance training, with the vast majority of those businesses in the under

$500 million annual revenue bracket. Still, 24 percent of companies with over $1 billion in annual revenue also say they don’t provide corruption law compliance training. This is a missed opportunity, since a

demonstrated commitment to compliance training and required certifications of completion can be a valuable good faith asset during a DOJ or SEC investigation.

Our survey finds that a majority of companies with more than $500 million in annual revenue require senior management, sales and marketing, internal audit and non-U.S. employees to attend corruption law compliance training. Within that group, respondents say sales and marketing staff are the most likely segment to be excused from training (26 percent).

Additionally, just one in five companies requires consultants and contractors to attend regular training.

These are critical lapses, since sales, contract and consulting resources often have significant exposure to external bribery and corruption risks.

Corruption law compliance training can be successfully conducted either in person or online, though live training in the local language is best for employees who have the greatest exposure to possible risks.

However, approximately 75 percent of larger companies in our survey say they do not take such extra steps to tailor programs to address local market issues.

Not applicable New hire orientation only

42%

5%

35%

1%

Annually Twice a year or more

Less frequently than every other year

If your organization offers global corruption law compliance training, how frequently is it offered?

9%

Every other year 8%

67%

54%

65%

41%

Senior management

Non-U.S. employees

Who is required to attend such training?

63%

Treasury personnel

59%

Sales professionals

Marketing professionals Internal auditors

Consultants/

contractors Board of directors

Other

22%

14%

22%

5. Regular training remains an area of opportunity for companies to improve

their corruption law compliance.

67%

54%

65%

41%

Senior management

Non-U.S. employees

Who is required to attend such training?

63%

Treasury personnel

59%

Sales professionals

Marketing professionals Internal auditors

Consultants/

contractors Board of directors

Other

22%

14%

22%

As part of Dodd-Frank, a whistleblower bounty program was created to provide sizable financial incentives for individuals who report securities and commodities law violations to the SEC. The Dodd- Frank whistleblower provisions, which strengthened protections against retaliation, also extend to FCPA enforcement. While it’s still too early to quantify the law’s full impact, these enhanced provisions are expected to contribute to increased enforcement activity in upcoming years.

The prospect of greater financial incentives for outside whistleblower reporting to regulatory agencies raises the odds that employees or other stakeholders may now choose to bypass internal mechanisms for violations. This risk puts greater emphasis on strong internal controls, vigilant detection efforts and immediate self-reporting of possible issues when uncovered.

As previously noted, both the DOJ and SEC tend to be more lenient with companies that self-report violations, rather than those where wrongdoing is exposed by an individual whistleblower. In our survey, business leaders clearly seem to understand that distinction, with over 60 percent of respondents saying their companies actively promote the use of company- sponsored whistleblower hotlines. While another 20 percent of survey participants say they offer dedicated whistleblower hotlines, they acknowledge the service needs more active promotion. For the remainder of companies, the implementation of a dedicated hotline could be a relatively simple tool to improve compliance efforts.

In addition to a dedicated hotline for whistleblower reporting, companies should always strive to provide open lines of employee communication. For example, a dedicated compliance function can be a central place to field employee questions on FCPA-related matters, which demonstrates a firm’s dedication to good ethics and transparency. Some large organizations have recently activated corporate ombudsman programs as part of their commitment to ethics and corruption law compliance efforts.

6. New whistleblower provisions in the Dodd-Frank Act increase the stakes and

regulatory risks for FCPA compliance.

V. Tips on Effective Compliance and Monitoring Programs

As previously noted in this report, there are a number of available resources to assist business leaders with corruption law compliance activity. An excellent starting point is A Resource Guide to the U.S. Foreign Corrupt Practices Act, released by the DOJ and SEC in November 2012. This guide illustrates the guiding principles of enforcement, explains potential civil and criminal penalties for violating the law, outlines paths toward case resolution and offers 10 hallmarks of effective compliance programs.

Additionally, companies should be aware of pending changes in the COSO internal controls integrated framework, which are expected to be released later this spring. A key reason for updating the COSO framework was to help make internal control principles responsive to strong, sustained growth in international business relationships. More specifically, the draft framework released in December 2011 discusses possible

corruption risks with respect to third-party actions, and addresses how companies might respond, depending on the level of identified risk.

To help guide middle-market business leaders, we present some real-world insights addressing the 10 hallmarks of effective compliance programs contained in the FCPA resource guide.

1. Commitment from senior management and a clearly

articulated policy against corruption

Without question, any compliance and monitoring approach is only as good as the support it has from senior leadership. Dr. Larry Rittenberg, Professor Emeritus at the University of Wisconsin–Madison and former chair of COSO, says that even if most business leaders want to operate ethically and within the law, they need to be visible on the need for global corruption

law compliance.

“As with any risk management program, a strong tone at the top is always required. That’s because leaders are essential to articulating a company’s values and explaining what happens if those values are violated.”

– Dr. Larry Rittenberg

2. Code of conduct and compliance policies and procedures

As a best practice, organizations need to take a holistic approach to compliance. This often means involving one or more players from staff- or consultant-based internal audit, as well as leaders in such areas as operations, sales and marketing, finance or purchasing.

While legal compliance with FCPA regulations is a key requirement, this group also should find ways to blend a company’s ethics or code of conduct statements into global corruption law policies.

“This integrated approach helps provide an understanding of why compliance is important, and how those rules apply to the company’s ethical standards or code of conduct.”

– Dr. Larry Rittenberg

3. Oversight, autonomy and resources

Next to strong executive oversight and a team approach in developing a corruption law compliance policy, every program needs to carefully evaluate where to deploy compliance tools for maximum effect.

This means selecting the right controls for identified risks, while ensuring that employees feel supported–

not intimidated–when tools are put in place.

“You have to assess your needs and allocate your resources, not only personnel but also technical resources to develop and articulate the objectives of the entire [compliance]

framework. Develop key performance indicators that are sustained through your business cycles, to avoid ‘flavor of the month’

[compliance] situations.”

– Purchasing supervisor for a mining organization

4. Risk assessment

One of the biggest FCPA-related compliance challenges is the assumption that the law doesn’t affect a given company. For example, a small or midsized company that generates no revenue from foreign sales may assume it has no FCPA exposure. However, if that same firm has third-party supplier or partner relationships in other nations, it’s potentially at risk for global corruption law compliance violations.

“Third-party risk is often overlooked as an FCPA compliance issue. Even if various tasks are outsourced to foreign providers, a company is responsible for ensuring those tasks conform to FCPA and other applicable global corruption laws.”

– Dr. Larry Rittenberg

5. Training and continuing advice

When doing business with international partners, it’s wise not to view everything through a U.S.-centered lens. Many behaviors that would not be generally accepted in American business are routine activities in other parts of the world. So, a best practice in training is to recruit and retain personnel who understand both FCPA compliance and the nuances of select foreign markets.

“You cannot underestimate the need for basic training on normal policies and procedures and then anti-corruption measures [in new markets]. If your workforce doesn’t have a basic understanding of why [they need to be]

concerned about things such as vendor checks or tracking miscellaneous expenses, you are going to fail.”

– Global internal audit director of an agricultural equipment manufacturer

6. Disciplinary measures

Having a global corruption law policy is not necessarily the same as enforcing it. In addition to strong tone at the top, companies also must hold all department heads accountable for FCPA compliance. If a violation is discovered, this approach helps ensure a hands-on approach to case review, discipline (if warranted) and broader corrective actions.

“In response to incidents, we took action with the individuals who were found to have engaged in the activity, including termination or other forms of punishment. We also reviewed the business practices and policies to determine if there was a weakness in the structure. We then took steps to rectify any processes that were identified as a weakness.

– Global internal audit director of an agricultural equipment manufacturer

7. Third-party due diligence and payments

Under the best of circumstances, due diligence can be tedious and time-consuming. On the other hand, vigorous effort in this area can pay handsome dividends–especially when research on third-party providers uncovers questionable results.

“Our [compliance] strategy is quite cautious.

We have rejected some projects when our [due diligence] was negative. Even if they could be very profitable, some projects were just considered too risky for various reasons.”

– Senior audit, compliance and risk officer in the oil and gas industry

8. Confidential reporting and internal investigation

The risk of FCPA violations does not always stop outside company walls. For example, in smaller or midsized companies, senior leaders often perform more than one role, meaning they are often in direct contact with foreign officials or third parties. On occasions when a senior leader is involved in committing or covering up a violation, it can be difficult to address–especially if the firm does not have an outside audit committee or other external board of directors.

“I think within most companies there is reporting of potential conflicts of interest and the potential for corruption. The problem is how to gather all of these signals and information together and act upon it.”

– Senior audit, compliance and risk officer in the oil and gas industry

9. Continuous improvement: periodic testing and review

As a general rule, employees want to play by the rules. While those who develop and implement anti-corruption compliance policies understand both the legal context and practical applications, many employees do not. To help eliminate that gray area, consider periodic plan testing that includes an awareness and training component on common issues.

“Once employees read the [anti-corruption]

policy one day, they may not remember it when scenarios actually arise. So, if the company keeps [testing workers on] practical examples of how the policy should be applied day-to-day, people will have more exposure to the policy.”

– Purchasing supervisor for a mining organization

10. M&A: pre-acquisition due diligence and post-acquisition integration

For middle-market companies in particular, corruption law compliance problems can be a factor in M&A transactions. To that end, the resource guide calls out some critical tips to help both target and acquiring companies reduce their risks of FCPA violations. First, business leaders should perform risk-based FCPA reviews during pre-acquisition due diligence, such as assessing if a prospective company’s code of conduct and training is FCPA-compliant. Once an acquisition is complete, executives should perform an FCPA-specific audit, which may include reporting of any corrupt payments discovered in the acquired entity.

To support this point, consider the example of ABM Industries, which in 2010 acquired The Linc Group LLC, a $500 million firm prior to the acquisition. Shortly after the deal closed, ABM uncovered FCPA issues related to dealings with a foreign entity affiliated with a joint venture partner of The Linc Group. ABM launched an internal investigation, terminated the arrangement and self-reported to the DOJ and SEC, spending over

$3 million in the process, according to disclosure filings with the SEC. If this level of due diligence had been conducted upfront, ABM may have saved considerable time and money–and the outcome of that deal might have been different.

In these types of instances, it’s wise for the acquirer to consider including specific compliance with corruption law provisions in the representations, warranties and indemnity protections of the purchase and sales agreement. This can protect the buyer after a deal is done, especially if evidence later shows that the seller misrepresented or hid factual data that would have adversely affected the final purchase price. If pre- acquisition due diligence uncovers a potential FCPA issue, companies need to consider restructuring the deal into a carve-out–or abandoning the deal altogether.

VI. Conclusion

It’s clear that we now live in a world in which companies of all sizes compete in the global

marketplace. Every day, middle-market companies are actively expanding into new markets and collaborating with international business partners. This expansion in global reach comes with added responsibility.

Companies must be more vigilant with governance and control efforts, allowing them to guard against bad players and ensure compliance with global anti- bribery and corruption laws. The stakes have never been higher.

Our survey of executives at middle-market companies reveals that good progress has been made in recent years. However, much work remains to be done.

Specific areas in need of improvement include oversight, monitoring and third-party due diligence.

Recent regulatory actions and newly issued guidance from the DOJ and SEC provide general road maps that companies must consider as they continue to enhance and improve their corruption law compliance programs. Finally, while companies may benefit from outside assistance to help improve corruption law compliance, our findings emphasize that the role of internal audit–and good internal controls–has never been more important for tackling global bribery and corruption risks.

Resources and Notes:

1) Page 19, A Resource Guide to the U.S. Foreign Corrupt Practices Act, U.S. Department of Justice and Securities and Exchange Commission.

2) Copies of A Resource Guide to the U.S. Foreign Corrupt Practices Act may be downloaded at http://www.justice.gov/criminal/fraud/fcpa/guidance/.

3) The Six Principles and the entire U.K. Bribery Act 2010 can be viewed at http://www.justice.gov.uk/downloads/legislation/bribery-act-2010-guidance.pdf.

4) Of 120 total survey respondents, 102 said they were employed by an organization that has operational or business partnerships with non-U.S. third parties. Those arrangements make those companies subject to global corruption law risks and compliance issues. Therefore, the percentages stated in the key findings portion of this report are based on those 102 respondents.

Contacts:

Acknowledgements:

IIARF Steering Committee John Beeler

John Brackett Deborah Poulalion Dr. Larry Rittenberg Advisors

Peter Brady John Brackett Rob Kastenschmidt Scott Peltz

Contributors Yanna Ma Matt Snellings Patricia Toro

Joseph E. Decilveo, Jr.

Partner and Northeast Region Leader Financial Advisory Services

McGladrey LLP

joe.decilveo@mcgladrey.com 212.372.1299

John Rollins Manager

Financial Advisory Services McGladrey LLP

john.rollins@mcgladrey.com 212.372.1298

Mark McNamee Partner

Risk Advisory Services McGladrey LLP

mark.mcnamee@mcgladrey.com 703.336.6488

VII. Participant Profile

Of 120 total survey respondents, 102 said they were employed by an organization that has operational or business partnerships with non-U.S. third parties.

Those arrangements make those companies subject to global corruption law risks and compliance issues. The following participant profile data is based on those 102 respondents.

10%

26%

1%

Respondents by job title Chief audit executive (CAE)

or head of internal audit

6%

39%

5%

5%

5%

1%

1%

Internal audit director or manager Internal audit staff or senior staff Chief financial officer (CFO) Chief compliance officer (CCO) Global risk executive or chief risk officer

*Other Chief executive officer (CEO) General counsel Controller

*Other includes titles such as:

Senior accountant, General manager and Consultant

Public vs. private organizations

Private 40%

Public 60%

Is your organization a portfolio company?

Yes 16%

No 84%

Is your organization U.S.-based?

No 34%

Yes 66%

10%

10%

5%

Organization’s primary industry Manufacturing/Wholesale/Distribution

7%

27%

7%

7%

5%

4%

3%

Business and professional services Technology Consumer products/Retail Oil and gas/Energy Not-for-profit/Non-governmental organizations Banking/Financial institutions

*Other Life sciences/Pharmaceuticals Financial services (excluding Banking or Insurance) Insurance Media/Broadcasting/Publishing Metals and mining Real estate and construction Aerospace and defense Medical device manufacturing Utilities

*Other industries include:

Import/Export, Agribusiness and Gaming

2%

3%

3%

3%

3%

1%

1%

Annual revenue range of organizations

$1B +

$500M - less than $1B

Under $100M

$100M - less than $500M 46%

17%

17%

21%