Another two large bribery and corruption scandals, involving major companies who violated FCPA regulations have been reported in recent weeks. You would be forgiven for thinking that cases like these would be consigned to history by now, given the better software automation, heightened controls and increased scrutiny over the past 10 years. The questions this raises are: how is this still going on, how did it happen and could they have been prevented with keener management attention and oversight?
The Dutch telecommunications company Vimpelcom has been fined $795 million after being found paying bribes to a daughter of the Uzbek President in order to win a national telecoms contract. This is the third biggest FCPA fine on record. The bribery payments were recorded in the company systems with some attempt at ambiguous transaction descriptions, and went unnoticed under their reportedly weak and inadequately enforced system of internal control. Vimpelcom have had to appoint a new CEO, CFO, group general counsel and group chief compliance officer, demonstrating not only the high monetary cost but also reputational and personal liability impact for management insufficiently concerned with oversight.
The other case that hit the headlines recently was SAP’s fine of $3.9 million after their sales organization in Mexico offered discounts of up to 82 percent to a local partner, who used the excessive discounts to fund and disguise bribes for new SAP sales contracts. Local management were evidently given the discretion to make unusually aggressive decisions on software discounts with insufficient control and oversight. The more deals they made, the more resources and discretion they were given, exacerbating the problem. The unusually high discounts were recorded as legitimate on the books of SAP’s Mexican subsidiary and were subsequently consolidated into corporate financial statements. More autonomy without corresponding oversight is a high risk, and excessive sales discounts can often be used to cover up a multitude of sins, as this sorry tale exposes. The SAP regional sales manager primarily responsible is currently residing in a very small room with the only handle on the outside!
There are similarities between these cases: They both exemplified lack of oversight at key approval stages. All the transactions were recorded in the companies’ systems, but were disguised just enough to mean a casual observer would not look twice at the corrupt transactions. Systems of policy and controls were being manipulated or circumvented and there was insufficient scrutiny over approvals and little or no transaction level monitoring to catch the anomalous occurrences (think of the tyre tracks in the snow that illustrate circumvention of the parking barrier in our much loved picture below)
It is clear that there can be a big gap between what top management think is happening versus what is actually happening and the reality may be that cursory system and controls reports aren’t telling the full story!
Given the personal liability of executives, senior management obviously want to prevent any such incident with the implementation of corporate ethics, policy management, system-embedded approval controls and oversight of all processes. Clearly, these preventive controls failed in these cases. However, it is clear there is a need for detective monitoring to bring the ‘tyre tracks in the snow’ into stark relief. Independent observers agree that continuous monitoring of all transactions is the missing link. Events like these could well have been detected and addressed early with a system of Continuous Controls Monitoring (CCM) in place. In these cases, management needed warning signs of unusual one-time vendor activity, large scale payment approvals and unprecedented discounts to trigger heightened anti-corruption scrutiny.
The global nature of business makes checking on compliance policies a complicated task. Compliance departments often don’t have the travel budget to be flying regularly to validate what local units are reporting. The concept of ‘materiality’ also sometimes ‘favours’ the smaller outlying operations that get less audit and compliance attention. Automated Continuous Control Monitoring systems can act as a watchdog, both as a preventive deterrent and an efficient detective for wrongdoers.
Continuous Controls Monitoring ensures that business processes and related controls are working as they should, assuring compliance and eliminating error and waste. It identifies exceptions to policy, process or expected results, so not only are you continuously monitoring, but also continuously improving business processes, which results in efficiency gains in many areas.
With record fines for non-compliance and ever greater scrutiny, business cannot be complacent. No-one was expecting these compliance failings. Management needs to ensure that ‘tone at the top’, effective internal controls and efficient transactional oversight are at top of the agenda and invest in effective tools and processes. The reputational pain and the fines when it all goes wrong are enough to seriously damage even the most well established company. It is widely reported that the companies who have put in place a well-developed system of Continuous Controls Monitoring are treated more favourably than those where management have been found to be ‘asleep at the wheel’.
Financial reporting concerns have led to a focus on better control and analytics around the Record to Report (R2R/RtR) process. Concerns with fraud, waste and error have led to a similar focus on the Procure to Pay (P2P/PtP) cycle.
Perhaps it is time that the Sales process of Customer/Order to Cash (O2C/OtC) was exposed to a higher level of systematic scrutiny.