Corporations determined to maintain employee productivity amidst the massive global shift to remote work triggered by the Covid-19 pandemic may not have given as much thought to a critical complication: How to oversee those employees and validate their ongoing compliance with policies, procedures, and internal controls that guard against fraud.
The concept of e-oversight is not new, particularly for major U.S. corporations that have had to monitor international subsidiaries for compliance with the Foreign Corrupt Practices Act. But now the oversight function and international employees are each an additional step removed from one another, away from their customary resources and tools, and at a scale likely not anticipated.
The risk isn’t a theoretical one. The Securities and Exchange Commission’s recent FCPA settlement with Cardinal Health made clear that the commission views rigorous e-oversight as critical to mitigating business risk. As companies adjust to potentially months of continued social distancing and limits on international travel, now is a fitting time for compliance personnel to focus on strengthening e-oversight capabilities.
Cardinal Settlement Hinges on Lack of E-Oversight
The SEC alleged in its cease and desist order that Cardinal, a health-care services and products company, violated the FCPA’s requirement to maintain sufficient internal accounting controls and accurate books and records related to marketing payments that its Chinese subsidiary made to employees of state-owned entities responsible for purchasing decisions. Although Cardinal neither admitted nor denied the findings, it agreed to stop the alleged activities and to pay $5.4 million in disgorgement, $916,887 in prejudgment interest, and a civil penalty of $2.5 million.
The SEC detailed numerous concerns with the marketing accounts, including that Cardinal China had allowed this particular set of marketing accounts to remain open for one distributor despite closing others due to “known FCPA-related compliance risks associated with channeling the marketing expenses of third parties through its own books and records.”
But the SEC specifically called out Cardinal’s failure to apply appropriate e-oversight to the marketing accounts it allowed to continue: “Cardinal China knew . . . [that] a large portion of the marketing employees conducted some of their business using e-mail accounts and computer systems that . . . were inaccessible to Cardinal’s and Cardinal China’s compliance personnel, and Cardinal China had no ability to review the full scope of the marketing employees’ activities” (emphasis added).
Obviously, it was difficult for Cardinal to apply and enforce compliance with internal control procedures for transactions and communications it could not access or monitor. The SEC order found that “Cardinal China regularly authorized and made payments from the marketing accounts at the direction of the dermocosmetic company without controls sufficient to provide reasonable assurance that the transactions were executed in accordance with management’s general or specific authorization, and failed accurately to record on its books and records payments made from the accounts” (emphasis added).
Robust E-Oversight Crucial in Coming Months and Years
As the Cardinal settlement illustrates, it is often the internal controls portion of the FCPA’s accounting requirements that acts as the gatekeeper to prevent or detect violations. Weak internal controls all but ensure that prohibited transactions will go undetected and ultimately be falsely recorded in a company’s books and records.
Applying internal controls from a distance is difficult even in normal business times. International companies may operate through numerous subsidiaries, each of which is responsible for contracting with a wide variety of third parties. Even with the best internal controls, it can be challenging to identify patterns of low-dollar payments that cross the line or the proverbial larger-dollar needle in a haystack. But without robust e-oversight built into internal controls, it becomes nearly impossible. It is imperative that all transactions that occur in overseas subsidiaries as well as the communications related to those transactions must be subject to review.
The widespread business disruption caused by Covid-19 has forced both big and small companies to transition from physically overseeing dozens of employees in a single shared space to attempting to monitor those same employees while they work remotely. E-oversight becomes even more essential due to the current (and future expected) inability of compliance personnel to travel for any in-person monitoring, auditing, or oversight.
For example, on-site visits to review hard copies of fapiao (official tax invoices in China) or assess the adequacy of paper support for electronic records may be prohibited by many countries for months to come. The use of manual entry ledgers or hard-copy scans (rather than electronically generated materials) may make computer data analysis, statistical sampling, and deviation modeling impossible without significant manual data entry efforts that are impractical for international enterprises.
In today’s global (and socially distanced) environment, complete electronic oversight is the only reasonable means by which to accomplish this goal. As evidenced by Cardinal’s settlement, allowing transactions to exist outside the internal controls framework is akin to having no internal controls at all.
E-oversight is, now more than ever, an essential aspect of FCPA compliance, and an increasing area of focus for the SEC. In an evolving post-Covid-19 business environment, SEC staff are unlikely to accept excuses from corporations with anything less than rigorous e-oversight internal control systems that account for comprehensive remote access.
Executive officers should meet jointly with internal compliance and information technology teams on a regular basis to review the full scope of how operations are surveilled and reviewed in order to ensure that all company-related (including subsidiary and third-party) transactions are both electronically accessible and appropriately incorporated into an automated compliance review process.
As Cardinal’s recent settlement shows, incomplete e-oversight leaves companies vulnerable.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Thomas A. Sporkin, a partner at Buckley LLP, spent 20 years with the SEC, served as chief of its Office of Market Intelligence, and oversaw numerous FCPA investigations. He represents individuals and businesses in matters before the SEC and other financial regulators.
Meredith Leeson is an associate at Buckley LLP where she represents corporations and individuals in a wide range of enforcement, regulation, and litigation matters involving the SEC, DOJ, and FTC on FCPA and securities investigations. Through her work with the government, she covered INL’s AML/CFT portfolio in Kabul and SIGIR’s fraud investigations in Iraq.