Today, let’s return to the FCPA enforcement action announced last week against German software giant SAP, which resulted in $220 million in penalties and disgorgement, plus a long list of compliance remediation measures. Those measures are worth going through in detail.
For those who missed last week’s news, the recap is as follows. SAP agreed to pay $220 million to the Justice Department and Securities and Exchange Commission for FCPA violations that happened in the 2010s, stretching from South Africa to Azerbaijan to Indonesia, with a smattering of other East African countries in between. The misconduct itself is nothing we haven’t heard many times before: local SAP subsidiaries working with third-party intermediaries to funnel bribes to corrupt government officials, who in exchange sent lucrative technology projects SAP’s way.
SAP did not win any self-disclosure credit since South African media broke news of the corruption first, but the company did win plaudits for its extensive cooperation and remediation measures to improve its compliance program. So what did SAP do that impressed regulators so much?
In the deferred-prosecution agreement for the case, the Justice Department cited 10 specific factors. Some of those factors are self-explanatory, such as prompt discipline of offending employees and enhanced language in the Code of Conduct. Others deserve closer attention.
Root Cause Analysis
The first factor cited by the Justice Department was that SAP performed a root cause analysis of the underlying conduct, and then took “appropriate remediation to address those root causes and enhance its compliance program and related controls.”
We have several points to consider here. First, this reminds us yet again that prosecutors really want to see errant companies perform root cause analysis. They want to see that you can bring a sophisticated amount of introspection to your company’s operations, to determine what went wrong, how it went wrong, and what the best way to avoid a repeat occurrence would be.
What’s frustrating, however, is that the DPA never specifies what that root cause of SAP’s failures actually was. Instead we’re left to deduce the root causes based on what we read from SEC and Justice Department settlement documents.
For example, the SEC settlement order declares: “SAP failed to implement sufficient internal accounting controls over the engagement of, and payments to, third parties and lacked sufficient entity-level controls over its subsidiaries in South Africa, Greater Africa, Indonesia, and Azerbaijan.” Meanwhile, the Justice Department’s statement of facts in the case talks about SAP South Africa and Greater Africa employees directly involved in efforts to hire sketchy intermediaries, and who falsely certified the effectiveness of internal controls over financial reporting.
That all leads me to conclude that the failures were among senior executives at local SAP subsidiaries. The SAP corporate parent in Germany may have had a respectable set of FCPA policies and procedures, but it couldn’t get those standards enforced at the subsidiary level. Hence the SEC’s talk about insufficient entity-level controls.
So if poor entity-level control is the root cause of your FCPA wrongdoing, how could a company rectify that? By implementing or strengthening entity-level controls such as:
- Centralized processing and controls
- Internal audit
- Clear policies and procedures, written in a manual
- Policies to address significant business control practices
- Controls over management override
- Fraud prevention and detection controls
Now let’s circle back to the other remediation steps praised by the Justice Department.
All the Other Remediation Measures
We started with the root cause analysis. Now let’s look at some of the other significant remediation steps that the Justice Department called out for praise.
- Enhancing the compliance risk assessment process, including by incorporating comprehensive operational and compliance data into risk assessments;
- Enhancing and expanding compliance monitoring and audit programs, planning, and resources, including developing a well-resourced team devoted to audits of third-party partners and suppliers;
- Expanding data analytics capabilities to cover more than 150 countries, including all high-risk countries globally;
- Significantly increasing the budget, resources, and expertise devoted to compliance and restructuring its Offices of Ethics and Compliance to ensure adequate stature, independence, autonomy, and access to executive leadership.
If you have a weak ability to impose your ethics and compliance will on far-flung subsidiaries (that is, weak entity-level control), then these bullet points above are a good way to change that state of affairs.
For example, we mentioned in our previous SAP post that on at least one occasion the company’s internal audit team did raise red flags about a sketchy intermediary in South Africa, but apparently nothing happened after those findings. Well, the second bullet point above is all about how SAP strengthened its third-party audit capabilities; and the fourth bullet point is about how SAP elevated the authority of its compliance team for better access to senior leadership. That’s how a company could assure that its internal audit team has the ability to find FCPA concerns more quickly, and get those concerns heard by the right people.
Along similar lines, notice that third bullet point about better data analytics. One way that SAP’s offending employees evaded anti-bribery controls was to keep the commissions they paid to third-party agents just below 15 percent, a threshold SAP had set for more stringent documentation and approval of contracts.
Now, setting payment terms just below some critical approval threshold — say, at 14.9 percent, which is what the SAP offenders did — is a time-honored way to commit fraud. Any internal auditor worth his or her salt knows this, but not all have the ability to conduct audits of expenses just below critical approval thresholds. So an investment in better data analytics is one way to help internal audit root out fraud that’s exploiting loopholes in your policies and procedures.
Lastly, prosecutors also praised SAP for eliminating its third-party sales commission model globally, and banning all sales commissions for public sector contracts in high-risk markets. As we mentioned in our first SAP post, that’s a structural change in incentives, and one that can’t be easily undone. It reflects a commitment from senior leaders to reduce compliance risks permanently, across the whole enterprise — and that, in turn, reflects the company’s control environment and commitment to integrity.
So yes, even in today’s FCPA-savvy world, large companies can still have deep and persistent problems with corruption risk infecting your workforce. SAP’s remediation steps show how you might turn that ship around. Now let’s see whether it actually works for the company in years to come.