Today we celebrate Hammer Film’s version of The Mummy. This was the first film that the Hammer studios made under a license agreement with Universal Pictures, the holder of the copyright of its classic monsters from the 1930s and 1940s. This version starred the duo of Peter Cushing and Christopher Lee. Changing the storyline from the original Universal Picture version, the Hammer version brought the Mummy back to England from Egypt where his apparent sole purpose was to wreak havoc and kill those who violated the tomb of his beloved Princess Anck-es-en-Amon. This is somewhat confusing as the movie makes clear that Cushing did not desecrate the tomb because he was laid up with a broken leg at the time, which caused him to limp the remainder of the movie. It was Cushing’s father and uncle, who did come to grief at Lee’s hand back in jolly old England, who initially entered the tomb. But one thing about Hammer Films, internal consistency was never allowed to get in the way of a good story.
Perhaps as Hammer Films got carried away, I did as well (yet again). I know I said I was going to put together a three-part series on internal controls for locations outside the US but it has turned into a four-part series. In parts I & II I reviewed some of the risk considerations that a compliance professional should contemplate regarding business units outside the US. I also discussed how to perform a Location Risk Assessment. In Part II, I will review how to use this assessment as a tool to provide a structured approach to establishing effective internal controls. I will conclude with Part IV where I will discuss how to implement worldwide controls in a company where each foreign location has a distinct set of operations issues and uses different ERP / accounting software systems. Once again, I rely on internal controls expert Henry Mixon for guidance in this area.
After preparation of Location Risk Assessments, the next step is to prioritize the listing of the risks and which locations they are common to. Mixon advises the need to map existing internal controls to risks and then assess whether the internal controls are sufficient to mitigate the risks. To help with consistency in this evaluation process, it may be useful to assign a risk weight to each of the elements in the Location Risk Assessment. For example, a construction company might assign a higher weight to the presence of movable fixed assets while a company which sells exclusively through local distributors, might assign a higher weight to the sales function than one that exclusively uses company employees for sales activities. However it is structured, the assessment should result in the assignment of individual risk scores and a composite risk score for each location. These scores can then be used to prioritize the locations in terms of dealing with control risks.
One of the biggest risks under the Foreign Corrupt Practices Act (FCPA) is where sales are conducted through third parties. If your company is moving to new geographic markets or new products and does not plan to use an internal sales team to facilitate these new efforts it presents a high FCPA compliance risk. The recent Securities and Exchange Commission (SEC) FCPA enforcement action against Smith & Wesson (S&W) was just such a situation, where a newly emerging international sales operation was executed through third party agents. The compliance function should understand the corporate or business unit controls over the international business generally, in addition to the necessary controls over agents we previously discussed. Some of the questions you might consider are the following. Is there a US based International Sales Manager who is responsible for growing the international business? What is the incentive compensation plan? How good are the segregation of duties (SODs)? In other words, can the International Sales Manager unilaterally make high-risk decisions, or must a senior officer of the business unit or corporate be part of the approval process? Finally, and in a point not to be forgotten or dismissed, how are all of these internal controls documented?
What about a situation in opposite to the above scenario, where your company’s primary sales channel uses a US based sales force which only travels to locations outside the US for temporary visits of generally short duration. This situation minimizes some compliance risks, retains some compliance risks, and shifts some other compliance risks. The minimized compliance risks come from the lessening on the reliance of third parties so that a company, at least in theory, would have more control over its own work force than those employed outside your company. The retained risks are the risks associated with gifts, entertainment, hospitality, and travel, approval of credit terms to customers, product pricing, special arrangements with customers such as providing product samples, knowing who the ultimate customer is and where the goods are ultimately shipped, and use of freight forwarders and customs agents. The shifted risks are created if there is no physical location outside the US because the accounting must be done in the US. This means that compliance risks regarding the accounting function simply shift to the US accounting department where transactions are processed and recorded and where the financial statements are prepared.
These identified risks need to be subject to appropriate internal controls because it is well established that the issuance of a Code of Conduct and/or FCPA compliance policy and training of said policy’s requirements is a good practice, but it does not provide reasonable assurance that employees will comply with the policies. What is needed are written procedures and work instructions, in the native language of the respective employees, that defines exactly what the procedures to be performed are and how they will be evidenced. As difficult as it is for US employees to translate, by themselves, what it means to comply with policies, it may be significantly more difficult for employees outside the US, not only due to language but also due to traditional local business practices, cultures and customs. Think of a business unit in a geographic area such as the Far East where there is a significant amount of deference to supervisors in the local culture; such that, even if an employee saw inappropriate behavior it would not be expected that the employee would make any report or comment. Such situations can have huge impact on your internal controls environment.
Next week I will conclude this series on internal controls for your business locations outside the US with some thoughts on how a compliance practitioner might go about implementing these controls and responding to the inevitable pushback you will receive.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.
© Thomas R. Fox, 2014
Filed under: Best Practices, Compliance, Compliance and Ethics, compliance programs, FCPA, Henry Mixon, Internal Controls 
