August 19th, 2014

By David Coleman and Beth Junell

David W. Coleman

It should go without saying that success in the natural resources business requires keen attention to business resources. Specifically, this means keeping a close eye on what affects the bottom line and always searching for ways to stay in the black. One source of cost reduction and recovery that can have a positive effect on the bottom line is reviewing 3rd party contracts already in force.

Companies operating in the mining and mineral industry are facing increased financial pressure of late. With revenue inflows having declined due to lower commodity prices, and with less access to capital, many organizations renewed their focus on reducing outflows. To address these realities, and identify potential cost savings, contract reviews have become increasingly prevalent. These reviews can help companies control and contain capital and expense related outflows.

Beth Junell


Contract reviews, if done effectively, can pay significant dividends. These reviews can be broadly done across the entire portfolio of contracts or projects, or can be done in a targeted manner, focusing on individual contracts. For example, in a broad application, EY conducted a contract review on a project with expenditures in excess of $30 billion on behalf of a client in the energy sector. EY leveraged technology to review 218 contracts and identified over $61 million in savings, which generated a 10:1 return on investment. As a result, some 30% of the firm’s contracts were renegotiated. While not all contract reviews have such significant outcomes, even reviews of individual contracts can result in a positive return, and in our experience most are at least self-funding.

In another example, we worked with a global mining client who believed that one of its mines was making losses, with fraud and waste being suspected. The company employed a new mine manager and finance manager as part of its turnaround strategy. With fraud a very real possibility, however, the CFO of the holding company also sent a team of forensic specialists to assist the finance manager. While working with the finance manager, the team identified risk areas and contracts to focus their attention on.  Read more.

August 5th, 2014

By Jonathan Huynh

US companies may be at increased risk as a result of India’s well intended new law surrounding Corporate Social Responsibility (CSR). The good news is that for many US companies, CSR has evolved into the fabric of their business, resulting from social and political maturity in this area as well as companies looking to promote the many good “by-products” of their products or services.

Jonathan Huynh

Jonathan Huynh

However, CSR becomes more complicated when it is subject to legislation and regulation, as it is now in India after passage of the new Companies Act of 2013 (“the Act”). Under Section 135 of the Act, every company in India with a net worth of at least Rs. 5 billion or more ($83M USD), a minimum turnover of Rs. 10 billion ($160M USD), or a minimum net profit of Rs. 50 million ($830,000 USD), is obligated to set aside 2% of their average net profits for donation to socially responsible activities in India. These activities include things such as promoting education, environmental sustainability, and gender equality.

The law impacts not only Indian companies, but also foreign companies who conduct business in India, whether directly or through third-party agents. These companies must establish a CSR Committee who is responsible for formulating a CSR policy and recommending CSR activities that fall under the Act’s activities guideline listed under Schedule VII.

International companies with operations in India are finding this topic to be receiving significant attention from their compliance and internal audit departments, particularly because provisions of the Act leave room for question and ambiguity. Technology firms across the United States, from Silicon Valley to Brooklyn, are particularly affected, as many have key operations in India.

The most pressing questions include:

  • Are companies required to donate 2% of their overall profits, or just the profits from their Indian business?
  • If companies choose to donate these profits to non-governmental organizations who purport to in turn apply the funds to good social causes in India, how can the donors ensure the money does not end up in the wrong hands? And, are they in fact responsible for ensuring appropriate use by the recipients of the funds. Would misuse of the funds by the recipients put the donor at risk of violating the U.S. Foreign Corrupt Practices Act (FCPA) or other anti-corruption laws? If so, under what circumstances?
  • Who will be responsible for monitoring this process, both internally, and among the various government regulators (in India and elsewhere)? International businesses are struggling with these issues because the Indian law, as written, is ambiguous as to compliance obligations.

 Read more.

July 30th, 2014

By Vincent Walden

Recent regulatory enforcement actions demonstrate that companies seeking growth are encountering markets with higher levels of fraud, corruption and bribery. To determine the adoption and effectiveness of data analytics tools by businesses worldwide, EY conducted a Global Forensic Data Analytics Survey in 2014, interviewing more than 450 executives across 11 major markets.

Vincent Walden

As the marketplace expands in size and complexity, the term “big data” has been coined to express the exponential increase in volume, velocity and variety of data. 72% of survey respondents indicated that big data provides significant opportunities for companies to utilize Forensic Data Analytics (FDA) in mitigating fraud and corruption risks. However, only 7% are aware of big data technologies, and only 2% actually leverage such capabilities.

Need for FDA

The survey results identified three major risk areas where FDA can plan an important role: asset misappropriation, financial statement fraud, and capital project spend.

It is apparent that FDA efforts are well-aligned with fraud risk concerns. According to the global survey, FDA is used around 75% of the time to investigate asset misappropriation, 74% for bribery and corruption, and 62% for financial statement fraud, demonstrating a high need for FDA in various areas.

Leading practices in compliance monitoring suggests the use of FDA to be more commonplace. Current legislation and recent enforcement actions related to anti-bribery and corruption (ABAC) such as the US Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act create a landscape for integrating new FDA procedures into compliance testing.

Successful corporate compliance programs require a continuous process of testing and monitoring of high risk areas. In fact, 87% of survey respondents believe that FDA enhances the overall risk assessment process and improves the ability to detect fraud.

Opportunities for FDA Improvement

Not surprisingly, survey results indicate that the vast majority of companies are missing key opportunities to leverage the appropriate FDA technologies. The majority of the technologies utilized for FDA are spreadsheets (65%) and data base tools (43%).  While these “rules-based” tools are important, they are typically not sufficient to effectively prevent and detect fraud.  Just 26% of survey respondents utilize forensic analytics software while a mere 12% use data visualization tools and 11% use statistical analysis software. Despite 69% of respondents suggesting that their respective anti-fraud and anti-bribery programs are effective, 62% of respondents admit the need to enhance their management’s expertise and awareness of the benefits of FDA.

 Read more.

June 24th, 2014

By Chris Fordham and John Auerbach

Chris Fordham

John Auerbach

When doing business in China and the Far East, it can be challenging enough to get a handle on the individuals you employ. Add to that the responsibility of monitoring the myriad contractors, vendors, agents and intermediaries, and the challenge rises almost beyond control.

In recent Foreign Corrupt Practice Act (‘FCPA”) enforcement actions, a trend has emerged where third parties are landing corporations in hot water. In fact, some 90 percent of recent FCPA cases involved a third party taking actions on an organization’s behalf that fell outside the bounds of the rules. While third parties work outside the company’s walls, and often outside the company’s purview, regulators are holding corporations and their executives responsible not only for their actions, but also for the corrupt behavior of their intermediaries and improper payments made by these intermediaries.

Activities can be outsourced, but responsibility cannot. In some cases, significant risks associated with outsourcing are being ignored. In the Asia-Pacific region, the corporate use of intermediaries to assist with business is the norm. However, corporations often have a limited understanding of their third party intermediaries, and how they operate. Mitigating the inherent risk of doing business with third parties has therefore become essential.

Specific anti-corruption onboarding processes, like company training and acknowledgement of policies and procedures, have become par for the course for new hires. Most companies today require freshly hired employees to review the company ethics handbook. Why are the same requirements not applied to third party intermediaries? The approaches that many corporations use to manage their contractors, vendors and intermediaries are proving insufficient or ineffective, because they focus solely on economic performance and don’t include monitoring their compliance with controls and procedures designed to mitigate financial and fraud risk.

In the EY Fraud Survey, 55 percent of the respondents believe that risks are more likely to arise from third parties than from internal staff. The survey further reveals that almost half of the respondents said that some level of controls was in place to assess third party risks, but that these controls do not work well in practice.

However, some solutions do exist. A broad set of tools is available to companies to prevent and detect third party breaches.

 Read more.

June 11th, 2014

By Fernando M. Caleiro Palma and Ana Carolina Cayres Szyfman

Fernando M. Caleiro Palma

Ana Carolina Cayres Szyfman

The enactment of a Federal anti-corruption law is changing the face of business in Brazil. As compared to conventional Western markets, having a compliance program as a strong corporate governance tool has not been seen as essential for the majority of Brazilian companies.

The Clean Company Act (“The Act”), or Federal Law 12,846/2013 was passed on August 1, 2013 and gave corporations only six months to prepare themselves before the law came into force, on January 29, 2014.  The act establishes a corporate anti-corruption regime that imposes both civil and administrative liability on Brazilian companies for domestic and foreign bribery. The act also covers international companies if they engage in bribery within Brazil.

The history

The Act was approved in a singular moment of political backlash in Brazil. After more than 10 years under the rule of a Federal Labor-party administration, Brazil saw massive public demonstrations (the largest since re-democratization in the mid-1980s) protesting against low-quality public services, high inflation and corruption scandals.

In this context, Brazil took steps to comply with its commitment to enforce the OECD Convention on combating bribery of foreign public officials in international business transactions and passed The Act. As a signatory of the OECD Convention in 2000, Brazil was under pressure to enact a law that provides strict administrative and civil liability to corporations, national or foreign.

The Act and the FCPA: broader jurisdiction

In principle, The Act has a great deal of similarity to the U.S. Foreign Corrupt Practices Act (“FCPA”).

The Act has broad application. Both national and foreign companies doing business in Brazil can face liability under the new Brazilian statute, regardless of their corporate legal form, of whether the wrongdoing is committed within or outside Brazil territory, or even of the rank of the violator (by directors, officers, employees or third parties).

(Also see: Brazil’s New Anti-Corruption Environment: A Q&A with EY Sao Paulo’s Fernando Caleiro Palma)

Similar to the FCPA, The Act also sets severe penalties for breaches. Though companies cannot be held criminally liable under The Act, administrative and civil fines can be established on a strict-liability basis, reaching fines of up to 20% of percent of a company’s gross revenue for the fiscal year ending prior to the initiation of the investigation. The companies may face additional penalties (as imposed by courts with jurisdiction), that may include suspension of activities or ban on receiving benefits from the government. In addition, reputational damage may be significant coming out of a charge or enforcement activity.  Read more.

May 20th, 2014

By John C. Auerbach

John Auerbach

With the recent scrutiny given to the hiring of children of foreign officials abroad, now is the right time to ask whether your company has thought about applying corruption and nepotism due diligence in its recruiting processes.

In the past year, it has been reported that U.S. regulators are taking a closer look at the hiring practices of a growing number of institutions abroad in an effort to understand whether a hiring decision may have been an act of foreign corruption.

In fact, a company proven to have hired individuals abroad in exchange for business with a government official is deemed to have run afoul of the Foreign Corrupt Practices Act. The mere fact that regulators today see fit to explore these corporate decisions amplifies the need for corporations to develop due diligence processes around these hiring decisions.

Hiring the child of a foreign government official may not be an act of corruption, but rather a legitimate and justifiable hire. Consider that the children of foreign elites, along with being well connected, may often be better-educated and professionally qualified as others in the field of candidates.

Corporations should not shy away from hiring the most qualified candidates, but must be aware of this distinction. However, if that candidate does happen to be politically connected, it is incumbent upon the corporation to do – and document — its due diligence in a way that its decision can be justified and its unbiased process demonstrated, if questioned.

Mitigating the risk starts with documentation. In the job search, the qualities of each candidate should be objectively recorded, with particular focus on how they rate against their competition. If a candidate’s qualities can be quantified, they should be measured and compared against the field of competitors. Also document how each candidate first came to your company’s attention.

Was it through an internship program or through an unsolicited request, like a communication by an email to a personal account? Who brought the candidate to your attention? Was any quid pro quo implied?

 Read more.

May 6th, 2014

By Chris Fordham and John Auerbach

Chris Fordham

John Auerbach

In our Feb. 18 blog post, the EY Fraud Investigations & Dispute Services’ first Asia-Pacific Fraud Survey, published last fall, identified some gaps in companies’ anti-corruption programs.

After a long period of rapid growth, the Asian economy has slowed in recent years, and the regulatory atmosphere has heightened. Last month’s blog focused on how organizations are falling short and running afoul of various anti-corruption statutes from the FCPA to local laws. Here, we’ll take a look at how they can avoid trouble.

From the top of the organization on down, a compliance regime is at its core a communication program. Standards must be understood within organizations – not just locally, but globally. These messages of accountability must be clear and they must cascade throughout the organization. Further, if the messages aren’t clear, or questions or misunderstandings exist, there should be a line of communication going back up the chain to clarify the imperatives.

There are no one-size-fits-all solutions; no silver bullets to eliminate corruption risk. Developing effective policies and controls, training, and consistent monitoring are proven ways to mitigate compliance risk. As diverse as compliance practices and approaches can be across companies and industries, of the 681 executives, senior leaders and working level-employees surveyed, the survey results show that a majority hold broad areas of agreement on the leading practices..  The challenge is to roll out and manage such programs in a particularly fast paced, intermediary driven market.

We also found that nothing can be taken for granted.  Certain functions generally have been accepted as standard practice, such as an anonymous whistleblower hotlines – or even systems for anonymous general feedback. While many consider such systems a common sense component of any plan, but our survey found that 75 percent of respondents in Australia do not appear to be operating a whistleblower program.  Even when there is a whistleblower program in place, it is not unusual to see Asian employees doubt the true anonymity of the system and hesitate to use it.  It is important then that whistleblower programs offer several different channels for feedback – online and offline, written and verbal, local and global, etc.

When the communication regime has done its job by ensuring the corporate values are understood and accepted, then it’s time to do the more elemental job of translating these values into a cohesive set of policies and procedures. A good place to start is the code of conduct. This guiding set of operating principles should set the tone for your anti-corruption efforts. Effective policies are characteristically easy to explain and be understood, are not overly onerous to the business, and can be objectively monitored. At the same time, the best compliance regimes allow for a certain amount of local innovation, using the “front lines” experience of emerging markets such as China to develop practical ways of meeting ethical standards in highly challenging environments.

 Read more.

April 10th, 2014

By Adam Cohen

Second of two parts - View part 1 here.

One of the most basic steps a lawyer can take in strengthening the security of client data held by cloud services providers is to negotiate a contractual obligation on the part of the provider to take reasonable security precautions.

Adam Cohen

The difficulty of defining such standards notwithstanding, there should be a term acknowledging the security issue and requiring attention to it. This should not be thought of as a shifting of responsibility but rather a sharing.

Further, several ethics opinions advise lawyers to pay careful heed to any agreements with their clients that cover confidentiality, or any instructions from their clients regarding how their data is to be handled.[1] Special caution is advised where data is particularly sensitive.

In such cases, it is recommended that lawyers obtain prior approval from their clients before storing the data in the cloud. Obtaining informed consent is a suggested precaution even where the level of sensitivity of the data does not appear to be particularly elevated.[2]

Mirroring developments in other technology-related legal ethics opinions[3], the cloud opinions instruct lawyers to stay abreast of relevant technology, as well as legal developments relating to technology.[4] Alabama goes so far as to indicate more specifically that lawyers should stay abreast of best practices regarding data safeguarding, including “reasonable security precautions” like passwords and encryption.[5]

With respect to certain basic security measures, such as authentication through the use of passwords, there are numerous implementations that lawyers should consider with which most users of networked services are familiar, including automatic logouts after periods of inactivity and network access termination after a designated number of login attempts.

However, the utilization of more technically complex measures, such as encryption, ventures into a highly complex, technical field that requires substantial expertise on behalf of the evaluating party.

Some ethics opinions intimate an even greater requirement of technical sophistication, inherent in some of the steps that the opinions would have lawyers take to evaluate third-party cloud service providers. Such steps include evaluation or verification of a vendor’s security environment.

  • An Arizona opinion directs lawyers to evaluate the nature of the vendor’s technology and periodically review its security measures.[6]
  • Iowa asks lawyers to determine the degree of protection the vendor provides to its clients’ data.[7]
  • New Jersey wants lawyers to make sure that vendors are using available technology to guard against foreseeable infiltration attempts.[8]
  • North Carolina requires the evaluation of the vendor’s security and backup strategy.[9]

Lawyers aiming to achieve this level of diligence will have to learn some basics about network security defenses such as firewalls, intrusion detection systems and patches, as well as physical or environmental security for data centers.

While these types of mandates may seem cumbersome and unreasonable to many lawyers, they are really no different in nature from the level of technical knowledge that electronic discovery requires. For example, with respect to the same duty of confidentiality that is the subject of this article, ethics opinions require lawyers to be familiar with the workings of metadata so that they do not inadvertently provide privileged information when sharing electronic documents.[10]

Moreover, these demands on a lawyer’s technical competence can be viewed in light of another important suggestion contained in many of the opinions; that lawyers make use of technical experts. It should be cautioned, however, that hiring an expert does not shift the lawyer’s ethical duty to the expert.

In fact, the lawyer not only retains the duty of confidentiality, but he or she takes on the additional duty to supervise, which requires oversight of and responsibility for the expert’s work.[11] This duty to supervise may also extend to cloud service providers.

Access to data is part of the hallowed cybersecurity triad of confidentiality, integrity and availability. Lawyers are advised to confirm, through enforceable agreements, that they will have unfettered access to their client’s data, including in situations where service is terminated or the provider goes out of business. Similar concerns exist with respect to steps taken by a service provider in the event of nonpayment. Access should be defined so that it is not limited to data in a proprietary format that cannot be read or used other than by someone with particular, inaccessible technology.

A corresponding obligation that should be imposed on the provider is to purge the client’s data upon termination of service. This is more easily said than done, as the steps necessary to achieve true data cleansing can be onerous. For example, purging a specific client’s files from backup tapes containing data from multiple clients can be difficult and expensive.

As demonstrated by the news headlines, data breaches may be unavoidable. If a breach does occur, the vendor should be required to notify the lawyer. The lawyer in turn should investigate and determine whether and to what extent any client data was compromised.

With consideration for the common threads discussed in the ethics opinions on cloud use by lawyers, certain further steps are suggested. While it is tempting to ignore the risks of data hacking, regardless of firewall or encryption implementations, lawyers cannot simply avoid data security, as this is not a viable business solution in our networked world.

Given that surrender is not an option, lawyers must choose carefully when evaluating cloud options. Even before confirming that contract terms with cloud providers and other data storage vendors contain general terms mandating certain levels of security, careful consideration should be paid to the selection of providers.

Choosing carefully may, as a practical matter, address many of the concerns regarding the appropriateness of security measures. A critical consideration here is whether the service provider is a reputable company with a strong record of serving other similarly positioned parties.

Moreover, the common theme across many ethics opinions addressing the cloud provider issue make it clear that lawyers may require assistance from experts in cybersecurity who can explain concepts and help make informed decisions on how to secure client data.

While increased cybersecurity measures are now necessary in the face of the aforementioned threats, not all information needs to be kept in the electronic equivalent of Fort Knox. Accordingly, counsel will have to weigh the confidentiality considerations in particular circumstances against the costs of available protection measures.

Adam Cohen is a Principal in the Forensic Technology and Discovery Services practice of Ernst & Young LLP. Adam is co-author of the annually updated treatise Electronic Discovery: Law and Practice (Wolters Kluwer Publishers), which has been cited as authority in several landmark Federal Court opinions involving electronic discovery.

The views expressed herein are those of the author and do not necessarily reflect the views of Ernst & Young LLP. This material has been prepared for general information only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice.

[1] State Bar of California Standing Committee on Professional Responsibility and Conduct: Formal Opinion 2010-179 (2010).

[2] Penn. Op. 2011-200 (2011).

[3] See, e.g., ABA MODEL RULES OF PROF’L CONDUCT R. 1.1 cmt. [8] (2013).

[4] N.H. Op. 2012-13/4.

[5] Alabama Ethics Opinion 2010-02.

[6] State Bar of Arizona Ethics Opinion 09-04 (December 2009).

[7] Iowa Bar Ethics Opinion 11-01 (9 September 2011).

[8] New Jersey Ethics Opinion 701 (2006).

[9] North Carolina 2011 Formal Opinion 6 (27 January 2012).

[10] State Bar of Arizona Ethics Opinion 07-03 (November 2007).

[11] The Pension Committee of the University of Montreal Pension Plan, et al. v. Banc of America Securities LLC, et al., No. 05 Civ. 9016 (SAS), 2010 WL 184312 (S.D.N.Y. Jan. 15, 2010) (Judge Scheindlin reiterating her series of decisions in Zubulake).

April 1st, 2014

By Adam Cohen

First of two parts – View second part here.

Adam Cohen

Cybercrime has taken the front pages by storm. Recent revelations include the theft of huge volumes of credit card information from household-name retail businesses[1], the emergence of cybercrime as a potential “WMD” perpetrated by foreign agencies devoted to industrial and military espionage[2] and even nuclear reactors becoming vulnerable to the threat of computer hacking[3].

Let’s not forget the incident heard around the globe involving the disclosure by a contractor of thousands of classified documents describing the inner workings of a major U.S. intelligence agency.[4]

In light of the recent front-page data breaches at sophisticated business organizations, the challenge of safeguarding confidential information is self-evident. Unfortunately, law firms are now in the crosshairs of criminal enterprises looking to get their hands on valuable client data.[5] For lawyers with ethical and professional responsibilities to maintain client confidences, the difficulty in keeping private data from becoming public may present problems that go beyond having sound cybersecurity practices behind their own firm’s firewalls.

When using cloud service providers to store and provide access to confidential client information over the internet, lawyers have a duty to act with reasonable care by addressing a series of issues in this environment of rampant cybercrime. Several of these issues, discussed below, involve contractual requirements for adequate cybersecurity measures, and the advisability of many of these security measures apply equally to the law firm.

When it comes to data within their own networks, law firms need to be up-to-date on sound cybersecurity practices and technology. Law firms should also be aware of the cybersecurity risks beyond their own networks. Similar to other businesses, law firms are keen to take advantage of the benefits of cloud computing, whether it is storing data on the internet or utilizing software as a service over the internet.

Major cloud providers have sophisticated cybersecurity programs from which law firms can benefit. This attribute alone suggests lawyers have a benefit to move to the cloud, if not also for other key advantages, including convenient remote access and expanded storage space.

Still, while some cloud providers may be at the forefront of cybersecurity technology, cloud providers will continue to emerge as tempting targets for cybercrime, given the breadth of data that is now being stored there.

 Read more.

March 25th, 2014

By Eric M. Williams and Gregory E. Wolski

Eric M. Williams

Greg Wolski

Nothing ventured, nothing gained: There may be no more apt axiom when considering the current business climate in the emerging markets that make up Africa.

With increased regulations in many of the more developed emerging markets, newer frontier markets, such as Africa, offer new opportunity for business.  In the past, information on market conditions in Africa have been largely negative, deterring investors in many cases.

But the numbers show, from EY’s report, Africa by numbers, that economic growth across Africa is strong and more than half the population in sub-Saharan Africa lives in countries where adjusted GDP growth has averaged more than five percent annually over the last two decades. Many of Africa’s economies continue to be among the fastest growing in the world, presenting investors with significant opportunities for growth.

Click here for more information.

For years, perceptions of corruption inside African state governments had all but curbed foreign investments. To be sure, corruption and graft still exist, but a critical mass of African economies have grown quickly and consistently for years; so much so that, despite the impact of the ongoing global economic situation, the size of the African economy has more than tripled since 2000.

EY’s 2013 attractiveness survey for Africa enumerated many positive metrics regarding Africa’s viability. But perhaps no finding was as important as the assertion that this viability is sustainable.

The survey found that the stereotypes of Africa being wracked with disease, poverty, corruption and conflict persist. However, these failures are no longer the norm, and many data points reveal that Africa’s ascent to commercial relevance goes back as far as the year 2000.

 Read more.