June 24th, 2014

By Chris Fordham and John Auerbach

Chris Fordham

John Auerbach

When doing business in China and the Far East, it can be challenging enough to get a handle on the individuals you employ. Add to that the responsibility of monitoring the myriad contractors, vendors, agents and intermediaries, and the challenge rises almost beyond control.

In recent Foreign Corrupt Practice Act (‘FCPA”) enforcement actions, a trend has emerged where third parties are landing corporations in hot water. In fact, some 90 percent of recent FCPA cases involved a third party taking actions on an organization’s behalf that fell outside the bounds of the rules. While third parties work outside the company’s walls, and often outside the company’s purview, regulators are holding corporations and their executives responsible not only for their actions, but also for the corrupt behavior of their intermediaries and improper payments made by these intermediaries.

Activities can be outsourced, but responsibility cannot. In some cases, significant risks associated with outsourcing are being ignored. In the Asia-Pacific region, the corporate use of intermediaries to assist with business is the norm. However, corporations often have a limited understanding of their third party intermediaries, and how they operate. Mitigating the inherent risk of doing business with third parties has therefore become essential.

Specific anti-corruption onboarding processes, like company training and acknowledgement of policies and procedures, have become par for the course for new hires. Most companies today require freshly hired employees to review the company ethics handbook. Why are the same requirements not applied to third party intermediaries? The approaches that many corporations use to manage their contractors, vendors and intermediaries are proving insufficient or ineffective, because they focus solely on economic performance and don’t include monitoring their compliance with controls and procedures designed to mitigate financial and fraud risk.

In the EY Fraud Survey, 55 percent of the respondents believe that risks are more likely to arise from third parties than from internal staff. The survey further reveals that almost half of the respondents said that some level of controls was in place to assess third party risks, but that these controls do not work well in practice.

However, some solutions do exist. A broad set of tools is available to companies to prevent and detect third party breaches.

 Read more.

|
June 11th, 2014

By Fernando M. Caleiro Palma and Ana Carolina Cayres Szyfman

Fernando M. Caleiro Palma

Ana Carolina Cayres Szyfman

The enactment of a Federal anti-corruption law is changing the face of business in Brazil. As compared to conventional Western markets, having a compliance program as a strong corporate governance tool has not been seen as essential for the majority of Brazilian companies.

The Clean Company Act (“The Act”), or Federal Law 12,846/2013 was passed on August 1, 2013 and gave corporations only six months to prepare themselves before the law came into force, on January 29, 2014.  The act establishes a corporate anti-corruption regime that imposes both civil and administrative liability on Brazilian companies for domestic and foreign bribery. The act also covers international companies if they engage in bribery within Brazil.

The history

The Act was approved in a singular moment of political backlash in Brazil. After more than 10 years under the rule of a Federal Labor-party administration, Brazil saw massive public demonstrations (the largest since re-democratization in the mid-1980s) protesting against low-quality public services, high inflation and corruption scandals.

In this context, Brazil took steps to comply with its commitment to enforce the OECD Convention on combating bribery of foreign public officials in international business transactions and passed The Act. As a signatory of the OECD Convention in 2000, Brazil was under pressure to enact a law that provides strict administrative and civil liability to corporations, national or foreign.

The Act and the FCPA: broader jurisdiction

In principle, The Act has a great deal of similarity to the U.S. Foreign Corrupt Practices Act (“FCPA”).

The Act has broad application. Both national and foreign companies doing business in Brazil can face liability under the new Brazilian statute, regardless of their corporate legal form, of whether the wrongdoing is committed within or outside Brazil territory, or even of the rank of the violator (by directors, officers, employees or third parties).

(Also see: Brazil’s New Anti-Corruption Environment: A Q&A with EY Sao Paulo’s Fernando Caleiro Palma)

Similar to the FCPA, The Act also sets severe penalties for breaches. Though companies cannot be held criminally liable under The Act, administrative and civil fines can be established on a strict-liability basis, reaching fines of up to 20% of percent of a company’s gross revenue for the fiscal year ending prior to the initiation of the investigation. The companies may face additional penalties (as imposed by courts with jurisdiction), that may include suspension of activities or ban on receiving benefits from the government. In addition, reputational damage may be significant coming out of a charge or enforcement activity.  Read more.

|
May 20th, 2014

By John C. Auerbach

John Auerbach

With the recent scrutiny given to the hiring of children of foreign officials abroad, now is the right time to ask whether your company has thought about applying corruption and nepotism due diligence in its recruiting processes.

In the past year, it has been reported that U.S. regulators are taking a closer look at the hiring practices of a growing number of institutions abroad in an effort to understand whether a hiring decision may have been an act of foreign corruption.

In fact, a company proven to have hired individuals abroad in exchange for business with a government official is deemed to have run afoul of the Foreign Corrupt Practices Act. The mere fact that regulators today see fit to explore these corporate decisions amplifies the need for corporations to develop due diligence processes around these hiring decisions.

Hiring the child of a foreign government official may not be an act of corruption, but rather a legitimate and justifiable hire. Consider that the children of foreign elites, along with being well connected, may often be better-educated and professionally qualified as others in the field of candidates.

Corporations should not shy away from hiring the most qualified candidates, but must be aware of this distinction. However, if that candidate does happen to be politically connected, it is incumbent upon the corporation to do – and document — its due diligence in a way that its decision can be justified and its unbiased process demonstrated, if questioned.

Mitigating the risk starts with documentation. In the job search, the qualities of each candidate should be objectively recorded, with particular focus on how they rate against their competition. If a candidate’s qualities can be quantified, they should be measured and compared against the field of competitors. Also document how each candidate first came to your company’s attention.

Was it through an internship program or through an unsolicited request, like a communication by an email to a personal account? Who brought the candidate to your attention? Was any quid pro quo implied?

 Read more.

|
May 6th, 2014

By Chris Fordham and John Auerbach

Chris Fordham

John Auerbach

In our Feb. 18 blog post, the EY Fraud Investigations & Dispute Services’ first Asia-Pacific Fraud Survey, published last fall, identified some gaps in companies’ anti-corruption programs.

After a long period of rapid growth, the Asian economy has slowed in recent years, and the regulatory atmosphere has heightened. Last month’s blog focused on how organizations are falling short and running afoul of various anti-corruption statutes from the FCPA to local laws. Here, we’ll take a look at how they can avoid trouble.

From the top of the organization on down, a compliance regime is at its core a communication program. Standards must be understood within organizations – not just locally, but globally. These messages of accountability must be clear and they must cascade throughout the organization. Further, if the messages aren’t clear, or questions or misunderstandings exist, there should be a line of communication going back up the chain to clarify the imperatives.

There are no one-size-fits-all solutions; no silver bullets to eliminate corruption risk. Developing effective policies and controls, training, and consistent monitoring are proven ways to mitigate compliance risk. As diverse as compliance practices and approaches can be across companies and industries, of the 681 executives, senior leaders and working level-employees surveyed, the survey results show that a majority hold broad areas of agreement on the leading practices..  The challenge is to roll out and manage such programs in a particularly fast paced, intermediary driven market.

We also found that nothing can be taken for granted.  Certain functions generally have been accepted as standard practice, such as an anonymous whistleblower hotlines – or even systems for anonymous general feedback. While many consider such systems a common sense component of any plan, but our survey found that 75 percent of respondents in Australia do not appear to be operating a whistleblower program.  Even when there is a whistleblower program in place, it is not unusual to see Asian employees doubt the true anonymity of the system and hesitate to use it.  It is important then that whistleblower programs offer several different channels for feedback – online and offline, written and verbal, local and global, etc.

When the communication regime has done its job by ensuring the corporate values are understood and accepted, then it’s time to do the more elemental job of translating these values into a cohesive set of policies and procedures. A good place to start is the code of conduct. This guiding set of operating principles should set the tone for your anti-corruption efforts. Effective policies are characteristically easy to explain and be understood, are not overly onerous to the business, and can be objectively monitored. At the same time, the best compliance regimes allow for a certain amount of local innovation, using the “front lines” experience of emerging markets such as China to develop practical ways of meeting ethical standards in highly challenging environments.

 Read more.

|
April 22nd, 2014

By Bill Henderson

For many companies today, anti-corruption has become their highest compliance priority.

Bill Henderson

The well-publicized enforcement of the U.S. Foreign Corrupt Practices Act – along with the attendant high costs of internal investigations, possible penalties, and the distractions to management when the U.S. or other countries begin investigations – means corruption has become a risk that needs to be aggressively addressed.

Yet many companies, while operating in high-risk markets, frequently do not consider the need to monitor their employees’ compliance until after problems occur. Monitoring compliance in the form of anti-corruption internal audits is recognized as one of the most crucial elements for heading off the risk.

So, what is an anti-corruption internal audit?

Here’s what it is not: It is not an internal investigation of allegations of wrongdoing. It is not a hunt to find and punish misconduct, though fraud or corruption may be uncovered. And it is not routine internal audit work.

Rather, an anti-corruption internal audit is a proactive, focused review of a company’s anti-corruption risks and of the policies and controls put in place to mitigate such risks. It is a business process that reviews the effectiveness of a company’s anti-corruption compliance program by looking at policy and control compliance and by testing substantive transitions for potential violations and red flags.

As forensic accounting professionals with extensive experience in anti-corruption investigations, we understand corruption risk and know where to look to make the highest-quality testing selections. Then we apply our judgment to ask the most relevant questions of employees.

Talking to employees is a sensitive task. We try to put them at ease, explaining we’re not investigating them, but rather looking more broadly at the compliance program in risk areas. We’re not trying to make anyone nervous – indeed, that would be counterproductive to the process.

 Read more.

|
April 10th, 2014

By Adam Cohen

Second of two parts - View part 1 here.

One of the most basic steps a lawyer can take in strengthening the security of client data held by cloud services providers is to negotiate a contractual obligation on the part of the provider to take reasonable security precautions.

Adam Cohen

The difficulty of defining such standards notwithstanding, there should be a term acknowledging the security issue and requiring attention to it. This should not be thought of as a shifting of responsibility but rather a sharing.

Further, several ethics opinions advise lawyers to pay careful heed to any agreements with their clients that cover confidentiality, or any instructions from their clients regarding how their data is to be handled.[1] Special caution is advised where data is particularly sensitive.

In such cases, it is recommended that lawyers obtain prior approval from their clients before storing the data in the cloud. Obtaining informed consent is a suggested precaution even where the level of sensitivity of the data does not appear to be particularly elevated.[2]

Mirroring developments in other technology-related legal ethics opinions[3], the cloud opinions instruct lawyers to stay abreast of relevant technology, as well as legal developments relating to technology.[4] Alabama goes so far as to indicate more specifically that lawyers should stay abreast of best practices regarding data safeguarding, including “reasonable security precautions” like passwords and encryption.[5]

With respect to certain basic security measures, such as authentication through the use of passwords, there are numerous implementations that lawyers should consider with which most users of networked services are familiar, including automatic logouts after periods of inactivity and network access termination after a designated number of login attempts.

However, the utilization of more technically complex measures, such as encryption, ventures into a highly complex, technical field that requires substantial expertise on behalf of the evaluating party.

Some ethics opinions intimate an even greater requirement of technical sophistication, inherent in some of the steps that the opinions would have lawyers take to evaluate third-party cloud service providers. Such steps include evaluation or verification of a vendor’s security environment.

  • An Arizona opinion directs lawyers to evaluate the nature of the vendor’s technology and periodically review its security measures.[6]
  • Iowa asks lawyers to determine the degree of protection the vendor provides to its clients’ data.[7]
  • New Jersey wants lawyers to make sure that vendors are using available technology to guard against foreseeable infiltration attempts.[8]
  • North Carolina requires the evaluation of the vendor’s security and backup strategy.[9]

Lawyers aiming to achieve this level of diligence will have to learn some basics about network security defenses such as firewalls, intrusion detection systems and patches, as well as physical or environmental security for data centers.

While these types of mandates may seem cumbersome and unreasonable to many lawyers, they are really no different in nature from the level of technical knowledge that electronic discovery requires. For example, with respect to the same duty of confidentiality that is the subject of this article, ethics opinions require lawyers to be familiar with the workings of metadata so that they do not inadvertently provide privileged information when sharing electronic documents.[10]

Moreover, these demands on a lawyer’s technical competence can be viewed in light of another important suggestion contained in many of the opinions; that lawyers make use of technical experts. It should be cautioned, however, that hiring an expert does not shift the lawyer’s ethical duty to the expert.

In fact, the lawyer not only retains the duty of confidentiality, but he or she takes on the additional duty to supervise, which requires oversight of and responsibility for the expert’s work.[11] This duty to supervise may also extend to cloud service providers.

Access to data is part of the hallowed cybersecurity triad of confidentiality, integrity and availability. Lawyers are advised to confirm, through enforceable agreements, that they will have unfettered access to their client’s data, including in situations where service is terminated or the provider goes out of business. Similar concerns exist with respect to steps taken by a service provider in the event of nonpayment. Access should be defined so that it is not limited to data in a proprietary format that cannot be read or used other than by someone with particular, inaccessible technology.

A corresponding obligation that should be imposed on the provider is to purge the client’s data upon termination of service. This is more easily said than done, as the steps necessary to achieve true data cleansing can be onerous. For example, purging a specific client’s files from backup tapes containing data from multiple clients can be difficult and expensive.

As demonstrated by the news headlines, data breaches may be unavoidable. If a breach does occur, the vendor should be required to notify the lawyer. The lawyer in turn should investigate and determine whether and to what extent any client data was compromised.

With consideration for the common threads discussed in the ethics opinions on cloud use by lawyers, certain further steps are suggested. While it is tempting to ignore the risks of data hacking, regardless of firewall or encryption implementations, lawyers cannot simply avoid data security, as this is not a viable business solution in our networked world.

Given that surrender is not an option, lawyers must choose carefully when evaluating cloud options. Even before confirming that contract terms with cloud providers and other data storage vendors contain general terms mandating certain levels of security, careful consideration should be paid to the selection of providers.

Choosing carefully may, as a practical matter, address many of the concerns regarding the appropriateness of security measures. A critical consideration here is whether the service provider is a reputable company with a strong record of serving other similarly positioned parties.

Moreover, the common theme across many ethics opinions addressing the cloud provider issue make it clear that lawyers may require assistance from experts in cybersecurity who can explain concepts and help make informed decisions on how to secure client data.

While increased cybersecurity measures are now necessary in the face of the aforementioned threats, not all information needs to be kept in the electronic equivalent of Fort Knox. Accordingly, counsel will have to weigh the confidentiality considerations in particular circumstances against the costs of available protection measures.

Adam Cohen is a Principal in the Forensic Technology and Discovery Services practice of Ernst & Young LLP. Adam is co-author of the annually updated treatise Electronic Discovery: Law and Practice (Wolters Kluwer Publishers), which has been cited as authority in several landmark Federal Court opinions involving electronic discovery.

The views expressed herein are those of the author and do not necessarily reflect the views of Ernst & Young LLP. This material has been prepared for general information only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice.


[1] State Bar of California Standing Committee on Professional Responsibility and Conduct: Formal Opinion 2010-179 (2010).

[2] Penn. Op. 2011-200 (2011).

[3] See, e.g., ABA MODEL RULES OF PROF’L CONDUCT R. 1.1 cmt. [8] (2013).

[4] N.H. Op. 2012-13/4.

[5] Alabama Ethics Opinion 2010-02.

[6] State Bar of Arizona Ethics Opinion 09-04 (December 2009).

[7] Iowa Bar Ethics Opinion 11-01 (9 September 2011).

[8] New Jersey Ethics Opinion 701 (2006).

[9] North Carolina 2011 Formal Opinion 6 (27 January 2012).

[10] State Bar of Arizona Ethics Opinion 07-03 (November 2007).

[11] The Pension Committee of the University of Montreal Pension Plan, et al. v. Banc of America Securities LLC, et al., No. 05 Civ. 9016 (SAS), 2010 WL 184312 (S.D.N.Y. Jan. 15, 2010) (Judge Scheindlin reiterating her series of decisions in Zubulake).

|
April 1st, 2014

By Adam Cohen

First of two parts – View second part here.

Adam Cohen

Cybercrime has taken the front pages by storm. Recent revelations include the theft of huge volumes of credit card information from household-name retail businesses[1], the emergence of cybercrime as a potential “WMD” perpetrated by foreign agencies devoted to industrial and military espionage[2] and even nuclear reactors becoming vulnerable to the threat of computer hacking[3].

Let’s not forget the incident heard around the globe involving the disclosure by a contractor of thousands of classified documents describing the inner workings of a major U.S. intelligence agency.[4]

In light of the recent front-page data breaches at sophisticated business organizations, the challenge of safeguarding confidential information is self-evident. Unfortunately, law firms are now in the crosshairs of criminal enterprises looking to get their hands on valuable client data.[5] For lawyers with ethical and professional responsibilities to maintain client confidences, the difficulty in keeping private data from becoming public may present problems that go beyond having sound cybersecurity practices behind their own firm’s firewalls.

When using cloud service providers to store and provide access to confidential client information over the internet, lawyers have a duty to act with reasonable care by addressing a series of issues in this environment of rampant cybercrime. Several of these issues, discussed below, involve contractual requirements for adequate cybersecurity measures, and the advisability of many of these security measures apply equally to the law firm.

When it comes to data within their own networks, law firms need to be up-to-date on sound cybersecurity practices and technology. Law firms should also be aware of the cybersecurity risks beyond their own networks. Similar to other businesses, law firms are keen to take advantage of the benefits of cloud computing, whether it is storing data on the internet or utilizing software as a service over the internet.

Major cloud providers have sophisticated cybersecurity programs from which law firms can benefit. This attribute alone suggests lawyers have a benefit to move to the cloud, if not also for other key advantages, including convenient remote access and expanded storage space.

Still, while some cloud providers may be at the forefront of cybersecurity technology, cloud providers will continue to emerge as tempting targets for cybercrime, given the breadth of data that is now being stored there.

 Read more.

|
March 25th, 2014

By Eric M. Williams and Gregory E. Wolski

Eric M. Williams

Greg Wolski

Nothing ventured, nothing gained: There may be no more apt axiom when considering the current business climate in the emerging markets that make up Africa.

With increased regulations in many of the more developed emerging markets, newer frontier markets, such as Africa, offer new opportunity for business.  In the past, information on market conditions in Africa have been largely negative, deterring investors in many cases.

But the numbers show, from EY’s report, Africa by numbers, that economic growth across Africa is strong and more than half the population in sub-Saharan Africa lives in countries where adjusted GDP growth has averaged more than five percent annually over the last two decades. Many of Africa’s economies continue to be among the fastest growing in the world, presenting investors with significant opportunities for growth.

Click here for more information.

For years, perceptions of corruption inside African state governments had all but curbed foreign investments. To be sure, corruption and graft still exist, but a critical mass of African economies have grown quickly and consistently for years; so much so that, despite the impact of the ongoing global economic situation, the size of the African economy has more than tripled since 2000.

EY’s 2013 attractiveness survey for Africa enumerated many positive metrics regarding Africa’s viability. But perhaps no finding was as important as the assertion that this viability is sustainable.

The survey found that the stereotypes of Africa being wracked with disease, poverty, corruption and conflict persist. However, these failures are no longer the norm, and many data points reveal that Africa’s ascent to commercial relevance goes back as far as the year 2000.

 Read more.

|
March 13th, 2014

By Elizabeth Junell and Shawn Giles

In our previous blog post, Fraud Management Programs – Time to Grow Up, we talked about the adolescence of fraud management programs and the need for companies to advance maturity. We also described the various approaches we see companies taking to institute comprehensive fraud management throughout the organization.

Elizabeth Junell

In this post, we will give you some tips on advancing maturity of your fraud management model, including the seven primary elements therein.

Developing a fraud management model requires two key types of information. First is an understanding of the organization’s specific risks. Second is regular assessment of, and attention to, fraud trends and schemes that can lead to loss generally and within the company’s specific industry.  A company can determine where its fraud management program needs improvement when business process owners bring this information to bear. The information also helps a company to make the changes necessary to mature its fraud management program.

Fraud management programs can be organized into seven primary elements:

  • Board oversight and executive-level sponsorship
  • Risk assessment
  • Code of conduct
  • Anti-fraud policies and procedures
  • Communications and training
  • Controls monitoring
  • Incident response

Most companies have some form of all seven of these elements. Within each element, however, organizations can be at varying stages of maturity.

 Read more.

|
March 4th, 2014

By Elizabeth Junell and Shawn Giles

How mature is your (or your client’s) fraud management program?

Elizabeth Junell

Our experience is that fraud management at many companies seems to be stuck in permanent adolescence – it’s grown a lot – but still hasn’t reached adulthood.

Certain types of fraud, like bribery, corruption and inventory theft, are certainly getting attention from companies. Other types of frauds are often less of a priority, particularly if a company has not seen a significant fraudulent incident. Too often fraud management programs are overlooked or allowed to become stale, significantly increasing the risk of fraud.

When properly instituted, a comprehensive fraud management program can help an organization achieve efficiencies by providing cost savings, reduced fraud loss and making better use of limited resources. Selecting the right fraud management model – and nurturing that model to maturity — is no easy task.

We see four main approaches emerging:  Read more.

|