Herbalife, that multi-level marketing business selling dietary supplements that absolutely totally isn’t a pyramid scheme, has agreed to settle FCPA charges by paying $123 million in disgorgement and penalties and accepting a deferred-prosecution agreement for three years.
Federal prosecutors announced the settlement Friday. It includes a $55 million criminal penalty going to the Justice Department, plus $67 million in disgorgement and interest going to the Securities and Exchange Commission. The case arises from allegations of long-running bribery and corruption in Herbalife’s China subsidiary, and two Herbalife China executives were personally indicted on FCPA charges last year.
Neither the DPA nor the Justice Department’s criminal information against Herbalife were available Friday — but really, compliance professionals don’t even need those documents to find lessons to learn in this case. The SEC’s settlement order alone contains multiple points about internal control failures, poor documentation, and remediation we could consider.
Today let’s focus on one element: the failure of Herbalife’s audit committee to act on glaring red flags of trouble.
The astonishing part begins with Paragraph 29 in the SEC order. That’s where we learn that in the first half of the 2010s, Herbalife did have an internal audit function that had all the right trappings. It was led by a senior vice president of internal audit, who reported directly to Herbalife’s audit committee. The internal audit team in China reported directly to the SVP of internal audit.
Moreover, that internal audit team was taking a proper, risk-based approach. Twice a year, its team in China would audit the expenses of one Mary Yang, who was the director of external affairs for Herbalife China at the time, and a key player in the bribery scheme. Yang is one of the two former Herbalife China executives indicted last year.
So What Red Flags Arose?
In 2014 the audit team reviewed Yang’s expenses for the second half of 2012.
According to that report, Yang submitted expenses for attending 239 meals with clients, with a total of 4,312 participants, averaging $3,232 per meal — over the course of six months.
Anyone can immediately see that those amounts seem high. When you sit down and do the math, however, the red flags become as large as a Christo art installation.
In other words, Yang was supposedly eating at least one lavish meal with 17 other people every day — and twice on weekends! — for six months. I’m all for treating oneself from time to time, but obviously these numbers cannot be accurate.
In March 2016, another internal audit of Yang’s expenses for the first six months of 2015 found that she had submitted expenses for 115 meals, with an average cost of $1,472 per meal. That’s still more than four meals per week. The audit also found extensive evidence of fake receipts, spending without required pre-approvals, and all the other usual nonsense one sees when reading FCPA settlement orders.
After that second internal audit, a member of Herbalife’s board of directors emailed the audit committee and the head of internal audit to ask whether all that spending was reasonable. I’ll let the SEC order speak for itself about what happened next:
Another board member responded: “Please note I have questioned this every year I have been on the board, and the company has defended its position that these are reasonable within FCPA guidelines.” The internal audit director responded that “the findings are the typical issues in these audits” and are within “tolerance.”
That’s the astonishing part. The rest of Herbalife’s FCPA allegations are just variations on the same themes that compliance officers have heard so many times before: executives faking receipts, ignoring pre-approval controls, lying on documentation submitted to senior management, and so forth. Those accusations against Herbalife are shameful, but they’re not unusual.
So when I search this case for lessons to learn, I get stuck on who let this happen? Who failed to act while executives went wild with lavish spending and fake receipts?
I don’t know about you, but the SEC order leaves me staring at the audit committee.
Taking Responsibility for FCPA Risk
According to Herbalife’s proxy statement for 2016, the members of the audit committee were as follows:
- Richard Bermingham, chair of the committee and an Herbalife board member since 2004. Bermingham was 77 years old at the time, and subsequently left the board in 2018.
- James Nelson, who joined Herbalife’s board in 2014 and still serves on the audit committee today.
- Michael Montelongo, who joined the board in 2015, still serves on the audit committee, and runs a governance advisory services firm for his day job.
We also need to note Leroy Barnes, who preceded Bermingham as chair of the audit committee in the early 2010s. Barnes had been on the board since 2004 as well, and left the board in 2015.
Perhaps we can give more leeway to Nelson and Montelongo, who were board newebies in 2016 and weren’t even there when the first audit of Yang’s 2012 expenses was done. One hopes they prodded the remediation Herbalife undertook in the late 2010s.
Bermingham and Barnes, on the other hand — they were leading the audit committee when Yang and her fellow indictee, Jerry Li (managing director for Herbalife China, and Yang’s boss) were in their bribing prime. Herbalife’s internal audit chief had done the proper audits to uncover red flags, and plopped those audits on the audit committee’s desk.
If, as the SEC order says, management told the board that Yang’s expenses “are reasonable within FCPA guidelines,” then Bermingham and Barnes’ correct response should have been to knock some C-suite heads for a better answer. By the mid-2010s any audit committee director should have known that China operations were a high risk, and that the feds had no problem delivering large fines for FCPA misconduct.
Bermingham and Barnes should not have taken management’s word that all was well. Heck, they shouldn’t even have accepted the internal audit chief telling them that those findings were within tolerance. If that was Herbalife’s tolerance for FCPA risk, Barnes and Bermingham should have changed it.
All the rest of the Herbalife settlement, we can explore in subsequent posts as necessary. I’m just not sure those details are necessary to the primary point: that board directors need to do better at taking their jobs seriously. When that first link of the chain fails, the rest is just clatter and noise coming down around you.