Ericsson Internal Control Lessons
As everyone in the corporate compliance world knows by now, Ericsson settled its long-running FCPA case last week with $1.06 billion in disgorgement and penalties plus a compliance monitor to boot. This is a sprawling case, full of lessons for the rest of us, so let’s start with the internal controls issues enforced by the Securities and Exchange Commission.
Across 24 pages, the SEC complaint catalogs one internal control failure after another. The failures themselves ran from 2011 into 2017 — when a firm as large and sophisticated as Ericsson should have known better, and should have been able to prevent such abuses. Yet that didn’t happen.
Well, that’s what makes the Ericsson case so compelling. More than depicting how one firm bungled the job of effective internal control, this case really shows us just how challenging the management of your third parties can be.
Let’s start with Ericsson’s bribery in Saudi Arabia. In 2012 and 2013, Ericsson paid $40 million to two Saudi Arabian business consultants, pretty much only so those two consultants could funnel bribes to a state-owned telecom company. Two senior Ericsson executives in the region signed the contracts with these consultants, either knowingly or recklessly turning a blind eye to warning signs that these were sham deals to cover up bribes.
For example, the contracts with both consultants described identical services. The first consultant had only one employee other than the firm’s owners, and the firm itself had only one client: Ericsson’s Saudi Arabia branch. The second consultant claimed to be a Saudi Arabian firm, yet payment for its services went to an account in the Channel Islands.
It gets worse, and more recent. From 2015 into 2017, Ericsson executives in Saudi Arabia paid for luxury travel for Saudi government officials. In 2016, the company dropped $70,000 to fly one Saudi official and seven family members to a five-week vacation in California. On another occasion, Ericsson whisked two Saudi officials to Paris, where the officials stayed at five-star hotels and got spa treatments.
Is that conduct shameful? You bet. So what could a compliance function do about it? How could you fashion internal controls to prevent these shenanigans?
A close read of the facts gives us some ideas.
Embedding Compliance Into Internal Control
Let’s go back to those two Saudi consultants. First, the key portion of their contracts — the description of services to be rendered — was identical. That’s something an astute contract management system should be able to detect.
Of course, that implies that you actually have a contract management system: one that requires digital versions rather than paper copies, so the text of the contracts can be indexed and searched; and one that can bring sophisticated analytics to bear so you can identify contracts with identical terms.
The technology exists to do this. The question is whether your company has the will and the resources to implement that technology.
Second, Ericsson did perform due diligence on these two Saudi consultants, but only one year after the contracts were signed. In fact, the first Saudi consulting firm wasn’t even formed until one year after the consulting contracts where signed. In other words, all this due diligence was for cosmetic purposes only, conducted long after Ericsson had decided to pay bribes.
It doesn’t have to be that way, if a company integrates compliance concerns into the internal controls around its payment processes. That was the big flaw for Ericsson that let these transactions continue for so long.
For example, you could implement controls to bar any contracts from going into effect until after due diligence is complete. You could implement rules to block payments to any high-risk third party without the compliance department’s review. For any large enterprise running payments on SAP or Oracle, those controls are possible. Frankly, they should be standard for any firms working anywhere near corruption risk.
Yet I’ve heard stories for years, and continue to hear them today, about how compliance officers can’t get the finance or IT functions to take those concerns seriously. You talk and you beg and you plead to configure internal controls around financial processes to prevent suspicious payments from going out the door — and the management team doesn’t listen.
That’s the real threat for third-party governance. Designing a due diligence program can be challenging, and integrating it into your payments system is exacting work, but those things can be done.
Unless your executive team isn’t interested in doing them. Then they can’t get done, no matter what.
Codifying Good Practice
Another part of the SEC complaint that jumped out to me was Paragraph 84, which summed up all the internal control failures that Ericsson allowed to happen. Take a look:
This paragraph is great because it sums up how several important internal controls should work at an abstract level. Your job, as lead compliance or audit executive, is to weave those abstract ideas into the daily operations of your enterprise.
That weaving is the hard part, of course — but you can see a path forward in that passage above if you think about it.
First you need to craft the right policies. A good example would be Item C, above: “require completed due diligence and a fully executed contract with a third party before the third party could begin providing services.” Then you need to create mechanisms in your payment processes — otherwise known as controls — to be sure those policies are enforced.
Right now, too many companies still use controls that are manual: compliance officers double-checking whether due diligence is complete, and pleading with accounting departments not to issue payments. That’s faulty. Those controls need to be embedded into the company’s business software, so they are automatic and preventive.
Hence my section title above: codifying good practice. Paragraph 84 of Ericsson shows what the good practice is; now those practices need to be encoded right into business operations.
There’s still plenty of old school work for CCOs to do in that scenario. For example, someone still needs to define what “completed due diligence” in Item E, above, actually is. That would be you. Then comes a more collaborative phase, where the CCO works with the accounting function, IT, records management, and other business functions to get those principles embedded into your daily operations.
All this assumes senior leadership does want to create strong internal controls for FCPA compliance. Ericsson is a great example of what happens when they don’t.