Internal audit and compliance perform similar, but distinct functions. Both groups need to work together to help ensure compliance with the most important laws and regulations and help organizations avoid significant fines, penalties, and repetitional risk. As part of your risk assessment procedures, you need to be scanning what’s happening to other organizations and where governments are focusing enforcement actions.

I discuss recent compliance enforcement actions (case studies) with Matt Kelly and show how recent compliance issues that led to enforcement actions and penalties by the US government can also apply to your organization. Learn from the mistakes of others, so your organization doesn’t have to experience the same risk.

Matt Kelly is the editor of Radical Compliance. You can learn more and sign up for his Friday newsletter at:

To take advantage of the 50% off cRisk Academy on-demand course use this link: and use coupon code: JAMMING2019 when you register for a course. cRisk Academy is offering this to listeners of the Jamming with Jason podcast through 30 November, so make sure to take advantage of your savings today.


00:00:01.319 –> 00:00:10.469
Well, Welcome everybody to another episode of jamming with Jason. Hey, today I’m here with longtime friend Matt Kelly, Matt, welcome aboard, man.

00:00:10.679 –> 00:00:17.369
Hello, Jason. It is a delight to be here on this podcast with you. My first time ever on jamming with Jason

00:00:17.580 –> 00:00:21.780
I know it will it will be jam. We be jammin you know anyway.

00:00:22.920 –> 00:00:27.450
No, I know. I know you said that you don’t have to flatter it but it but it’s, it’s, you know,

00:00:28.050 –> 00:00:39.960
Tom refers to you as the coolest guy in compliance. So I thought, well, how cool would it be right. Like if the coolest guy in compliance and a rock star get together on a podcast, it would be jamming, wouldn’t it

00:00:40.140 –> 00:00:41.460
It absolutely would.

00:00:41.820 –> 00:00:53.490
Would be jamming. So for those. For those of you that don’t know, Matt. Kelly is the editor of radical compliance and we’ve known each other for 10 or 15 years somewhere in that range. I think

00:00:53.730 –> 00:00:54.570
I think so, yeah.

00:00:54.630 –> 00:01:04.350
Yeah, it’s, it’s, it’s been a little while but wanted to have Matt on because he really is an expert in the compliance space.

00:01:04.830 –> 00:01:20.370
And so so Matt maybe just just give give the listeners a little, a little flavor for kind of, you know, where you’ve come from and kind of what you’re doing now and how Tom gave you that coolest guy in compliance. Sort of. Sort of thing, because I think you do you, you are

00:01:21.570 –> 00:01:28.350
An icon in this space, if you will, in reporting a lot on what’s actually going on in the compliance realm. Mm hmm.

00:01:28.800 –> 00:01:41.880
Yeah, so I have been reporting on these issues, who’s in one form or another, probably since around 2003 when Sarbanes Oxley was first class and I wound up writing for compliance week for a while.

00:01:42.480 –> 00:01:48.210
And I knew, I knew very little about corporate compliance back then but good news was really not.

00:01:48.270 –> 00:01:56.610
Anybody else did either, so we could all fake it collectively in grow into understanding what compliance was I wound

00:01:57.660 –> 00:02:03.300
Up working a compliance week and running the magazine from 2006 until the starting point in

00:02:03.870 –> 00:02:14.250
And then I moved on to writing my own newsletter radical compliance some doubt on Friday afternoons. You can sign up for it for free and my approach has always been

00:02:15.000 –> 00:02:30.750
I don’t take any ads and I don’t charge any subscription fees. So I really don’t have too many constituencies to answer. Doing so I can give my unvarnished analysis on compliance audit and governments news of the day.

00:02:31.140 –> 00:02:31.350

00:02:32.370 –> 00:02:44.550
And a lot of what I tried to do is I would guess maybe 40% of my readers are ethics and compliance officers on the legal side probably another 40% our internal audit executives and it’s about writing

00:02:45.330 –> 00:02:52.140
About those issues that will straddle both domains and how each side can sort of understand the others perspective.

00:02:53.490 –> 00:03:04.530
When the mess happens you’re both going to be in the room, along with a couple of other people maybe outside counsel and see. So, and the audit formula. How do we get out of this y’all gotta understand the

00:03:05.910 –> 00:03:13.710
The common comprehensive. So that’s what I do is I write about a lot of very topical news on been and I love

00:03:14.880 –> 00:03:15.210
Doing it

00:03:16.560 –> 00:03:19.170
Well, and I’m glad that you’re in that space because like I said it’s

00:03:19.830 –> 00:03:30.840
You know what you put out as is important for people to it and you’ve really kind of carried over your journalism, you know, into more of this topical area. But, you know, from a background, you’re really kind of a journalist. Right.

00:03:30.870 –> 00:03:31.800
And so, yeah.

00:03:31.830 –> 00:03:39.180
So you’re just reporting on what’s actually happening. And then it allows people to then kind of figure out, okay, what is it that we need to do with this, right.

00:03:39.630 –> 00:03:50.490
And I think, like you said, I mean, I remember those days back in the early 2000s. When you know compliance departments were all of a sudden now a big deal. And people have started kind of adding to it.

00:03:50.970 –> 00:03:57.930
You know, the auditors have been around for a while. But now we have compliance as well. And I know you know even still, you know,

00:03:58.800 –> 00:04:10.650
I can’t do math in my head right now 15 1516 years later, there’s still a lot of a lot of kind of growing pains of what is audit do what is compliance do how do we work together well.

00:04:11.340 –> 00:04:20.400
That’s still kind of going on but like you said whenever anything bad happens usually both of those people are pulled in the room and the fingers get pointed at one or both of them.

00:04:21.330 –> 00:04:34.470
Which is why we’re talking today, right, because it’s like the compliance can’t just stick their head down and not think or consider internal audit internal logic and not just stick its head down and not consider compliance as well so

00:04:35.640 –> 00:04:39.180
So maybe let’s talk about some of the things that are that are kind of going on because

00:04:40.140 –> 00:04:50.970
What I want to do is is is help the auditors kind of understand some of what’s going on in the compliance world so that if if it’s in their space if it relates to their organization that

00:04:51.360 –> 00:04:58.890
That they kind of are aware of it, so they can start thinking about it in their planning and what to kind of do going forward. Right, sure.

00:04:59.550 –> 00:05:07.440
So I know we were talking before we started, you know, the SEC and some of the different enforcement actions and stuff that are have been coming out lately.

00:05:07.800 –> 00:05:21.840
You know, maybe we can talk a little bit about some of those kind of some of the lessons learned, you know, from that. And again, maybe things that people should be looking for within their organization so they don’t end up in the news like some of these other companies. Yeah.

00:05:22.650 –> 00:05:34.800
Well, I think that the big Compliance and Enforcement story of 2019 what is intrigued me is so the Foreign Corrupt Practices Act has two parts.

00:05:35.250 –> 00:05:44.220
There is the criminal part that says you may not bribe a foreign government official, which is investigated and charged by the Justice Department and the criminal side.

00:05:44.850 –> 00:05:56.040
And then also the civil side the Securities and Exchange Commission says you must have adequate internal controls to detect and prevent bribes. So we have all

00:05:57.000 –> 00:06:03.780
These books and records violations and what I have seen is that the Justice Department is taking a big step back for

00:06:04.500 –> 00:06:14.340
From unfortunately criminal side they’re trying to encourage self disclosure and then you remediate but they won’t actually bring the criminal charges company. But while that

00:06:15.240 –> 00:06:33.180
Slow rolling is happening, we still see a steady brisk pace of enforcement on the civil side from the squirting to gain promotion on core internal controls. It’s kind of weird, because essentially the SEC is saying you have faulty internal

00:06:34.230 –> 00:06:47.880
Fraud, so you can’t figure out if there was a bribe or not even when the Justice Department said we’re not going to bother bringing the charge of bribery. So can you have an enforcement action on the civil side when nothing wrong actually was enforced on the

00:06:48.990 –> 00:07:01.530
Clinical side. A lot of people take a weird, doesn’t really matter because it is what it is, but it, it raises some really interesting questions about how strong your internal controls are

00:07:02.070 –> 00:07:16.920
And how audit appreciates the regulatory risks that are still out there and how compliance understand what are the internal control issues that could still leave my company falling on its face, and that’s what I think it’s a bookstore for

00:07:18.480 –> 00:07:24.060
Well, it is. And I, and I think again. Right. You know, usually the criminal that’s done at the individual level.

00:07:24.690 –> 00:07:34.080
But the civil is still handled by the corporation. Right. So, so, and this is one of the things I that I’ve seen for a long time with with compliance is

00:07:34.770 –> 00:07:44.730
The government’s going to come. Eventually, it just ends up being years later. And so a lot of times people think, oh, you know, I dodged that bullet. Nobody’s gonna know it’s like

00:07:45.450 –> 00:07:55.710
No, they’re come in and and when they come the fines are going to come right. So if we think back, you know, like the you know 2008 financial issue. It wasn’t until I think, wasn’t it

00:07:57.090 –> 00:08:00.480
When most of the banks actually finally got their fines that

00:08:00.930 –> 00:08:02.580
Can easily take 10 years

00:08:03.120 –> 00:08:06.930
1015 years or more, but eventually it will catch up.

00:08:08.220 –> 00:08:20.010
Yeah. And ultimately, like you said, even though even if DOJ doesn’t criminally prosecuted the SEC comes after you. They’re still going to give you a fine that you’re going to have to pay

00:08:21.600 –> 00:08:26.550
And plus, plus, plus, plus, everything else that goes along with that. Right. Yes. So,

00:08:26.910 –> 00:08:33.570
I think, I think a lot of times people think that the, the, the, the amount of money they have to pay the government is what the risk is. And it’s like, no.

00:08:34.020 –> 00:08:43.260
What about all the wasted time and effort and everything else that you had to go through for the last, how many years during the investigation that’s also a cost of it as well. So

00:08:43.290 –> 00:08:53.250
To do the the sort of the breakdown in your head, you would easily have to pay discouragement of whatever profits your company got by way of the bribery.

00:08:54.120 –> 00:09:05.970
Penalties which could be several million dollars. The penalties could be more than the discouragement. That is, it’s not all the time. But, you know, you see it and then interest on top of that.

00:09:06.570 –> 00:09:20.070
And then whatever that number is multiply it by three or four because that is your legal fees for your outside counsel. That’s for your auditor. That’s for all the distraction of your internal man hours and you know you suddenly the meter is taking up and up and up.

00:09:21.360 –> 00:09:31.110
And then there could potentially be individual enforcement actions where, you know, you might get barred from working at a public need might lose your accounting license or your law license.

00:09:32.160 –> 00:09:42.300
You know, on the criminal side, at least in theory you could wind up with a personal indictment and then you’re in big trouble. So this is still like you don’t want to be here under any circumstance.

00:09:42.870 –> 00:09:51.150
No. Well, and like you said, I mean, kind of that that formula that you kind of gave you know the discouragement of profits penalties interest, multiply by three or four

00:09:51.480 –> 00:09:59.820
I remember, I mean this settled a while ago, but the the Walmart Mexico issue finally settle. Yeah. Let’s spend a year ago. So now,

00:10:00.390 –> 00:10:08.340
But I remember when that when that first came out in my head. I thought this is going to cost them a billion dollars right that’s that’s just kind of what I

00:10:08.850 –> 00:10:17.400
What I thought in was kind of teaching people. It’s like, look, this is going to come back and bite him now. I think the ending penalty ended up only being around 200 million something like

00:10:17.460 –> 00:10:18.570
A little bit more than two.

00:10:18.720 –> 00:10:25.470
Yeah, I was a little more than 200 but Walmart disclosed. They probably spent a billion dollars.

00:10:26.820 –> 00:10:32.790
Paid disclose that they paid 1.1 billion since I think 2013 up until now.

00:10:34.080 –> 00:10:40.080
They’ll probably still have ongoing costs. After this, and I am not entirely clear on if that was

00:10:40.620 –> 00:10:51.690
All of the costs or just their internal improvements, but you know they paid some law firm out there good money. And so I wouldn’t even be surprised if it was more than the 1.1 that they did report.

00:10:52.080 –> 00:10:59.310
Yeah, so that’s why i think that’s that’s good for people to because because, again, as the auditors are thinking about this. I don’t want them thinking

00:10:59.700 –> 00:11:08.010
Oh, this is only a $10 million thing. No, it’s going to balloon to whatever you might pay like let’s say it’s a $10 million fine, which isn’t very much

00:11:08.670 –> 00:11:15.150
But by the time you start multiplying it it really has probably a 60 to 100 million dollar impact.

00:11:15.630 –> 00:11:20.820
On your organization, even though you’re only paying the government 10 million right, good. Yeah. Yeah.

00:11:21.330 –> 00:11:34.800
So, so maybe let’s talk about a couple because I know we were talking about a couple of, you know, almost like little case study kind of things of sharing with people kind of you know how some of this stuff comes out what some of these companies are getting in trouble for

00:11:36.270 –> 00:11:38.880
You know as well because we were talking a little bit about some of the

00:11:39.390 –> 00:11:44.700
Some of the pre IPOs I got pulled back and there’s some reasons around that maybe some of the stuff because I know

00:11:45.060 –> 00:11:54.720
The quad graphics was a big one that that you’ve been talking a lot about lately. Yeah, so maybe kind of walk us through or help us kind of kind of see let’s let’s give the listeners.

00:11:55.680 –> 00:12:06.300
Kind of real case facts, if you will have some of the things that other companies are going through, so they can start trying to think how could this apply to my company. And this is something that we should be concerned about as well.

00:12:06.810 –> 00:12:16.680
Sure. So I actually, I know I said that this is the big story of 2019 I’m actually going to give my first example from 2018 I think September 2018 or so.

00:12:17.100 –> 00:12:34.740
Where the SEC took an enforcement action against Sanofi pharmaceutical firm for bribery offenses and internal control failures that happened with its Middle East operations and what intrigued me and this is not an uncommon fact

00:12:35.910 –> 00:12:55.380
Was that Sanofi distributors in the Middle East, they were receiving credit notes from Sanofi that the distributors could then use to offset for money, the distributor might owe back to Sanofi or and this is the geeky Ed Dale convert those credit notes to catch

00:12:57.000 –> 00:12:57.930
One guess

00:12:58.410 –> 00:13:01.470
Where that cash went once it was converted

00:13:02.970 –> 00:13:13.560
So it was of course converted into bribes and the various other failures but that stood out to me because I wrote a whole post about how a compliance officer.

00:13:14.130 –> 00:13:25.800
Who is trying to implement effective control over third parties, you really would need to understand that accounting policies like that do carry risk.

00:13:26.940 –> 00:13:34.950
And, you know, how would you try to rectify or amend those policies. So you could seal off that risk.

00:13:35.490 –> 00:13:44.100
And what strikes me as if I talked to ethics and compliance officer to are wonderful people. But they are largely lawyers. If I say

00:13:44.610 –> 00:14:03.030
Are you worried about SEC enforcement Foreign Corrupt Practices Act. Oh yeah, totally. And its third parties, man. My resellers distributors, they’re always going to, that’s my my risk. I said yes. Do you understand what a credit note is and how it could be used like a new that’s an apartment.

00:14:04.590 –> 00:14:05.340
So, but I

00:14:05.370 –> 00:14:10.350
What I don’t know. And actually, you know, if you had perspective on this. I think it would be, I’d be curious to hear it.

00:14:10.650 –> 00:14:21.780
How often do the audit and accounting people also understand that a policy like that might seem like a good business process because they don’t understand the regulatory risks.

00:14:22.080 –> 00:14:29.100
Of having it. And I’m wondering if there is a disconnect there certainly disconnect from compliance officers don’t appreciate

00:14:29.580 –> 00:14:42.900
All of this accounting policy nuance. They need to think about, but I wouldn’t be surprised if there’s also a disconnect vice versa, that the accounting people might not know the regulatory risks that their card and around thanks to their policy.

00:14:43.620 –> 00:14:49.470
Well, no, I think it is. And it’s, it’s, it can go both ways, you know, and like you said, depending on

00:14:50.340 –> 00:14:56.160
Let’s say what the background of the compliance person is if they’re mainly attorneys, then obviously they’re going to have some blind spots.

00:14:56.220 –> 00:15:03.630
So that’s a, that’s a great word that I like to use right is is is an attorney might just have some blind spots because they don’t know, they haven’t experienced it.

00:15:04.110 –> 00:15:13.860
An auditor might have blind spots because maybe they don’t understand you know the details of the regulation or some of the, you know, litigation aspects or legal aspects of it.

00:15:14.880 –> 00:15:24.240
Business owners or managers, you know, that are actually running these parts of the business have blind spots as well, right, because they’re just trying to get stuff done.

00:15:24.780 –> 00:15:32.280
And it’s, it’s funny, you know, the Sanofi thing with the with the the credit that would they call them. They weren’t credit memos, but they were

00:15:32.280 –> 00:15:33.210
credit notes.

00:15:33.300 –> 00:15:34.800
credit notes. Okay.

00:15:36.330 –> 00:15:41.850
You know, that’s one of those where, you know, this is why it’s so important to get all of those people together.

00:15:42.300 –> 00:15:51.180
And actually discuss openly and honestly what’s going on so that each of those people, you know, you’re going to have blind spots, but somebody else isn’t

00:15:51.570 –> 00:16:02.910
And somebody can raise their hand to go well. Just a minute I credit note is really this right because to me it almost seems like that was an attempt

00:16:03.510 –> 00:16:11.820
To continue to bribe but meet the letter of the law because we’re not giving them cash we’re giving them credit note right

00:16:12.510 –> 00:16:20.760
And you know, it’s the old thing if it walks like a duck. If it talks like a duck and it quacks like a duck, it’s probably a duck, you know, even if it’s even if it’s got

00:16:21.510 –> 00:16:37.950
You know, different clothes on, or whatever, right and and people have to kind of think about that because that you know i’m sure for that one. That was again a pretty big fine and penalty that goes along with it and don’t try to be too cutesy of thinking that you can get away with something

00:16:39.360 –> 00:16:46.950
Because if even if effectively if what you’re doing is still bribery, they’re still going to come back at you, regardless of what you call it, yeah.

00:16:47.460 –> 00:16:56.970
Now I’ve got my next two cases. I’m going to get to a quad graphics at the end because that’s such a big and late breaking cases just it deserves its own time, but

00:16:58.290 –> 00:17:09.840
Right now, I wanted to also mentioned Microsoft and Polly calm. They both had enforcement actions I think Ali calm end of last December and then Microsoft over the summer.

00:17:10.560 –> 00:17:27.540
These are much more tangible and common sort of traps, as opposed to the credit multiple Sanofi but both Microsoft and Polycom, they were find when their resellers. And again, it’s always the third party. It’s reseller distributor, the local agent on them.

00:17:28.890 –> 00:17:40.110
They were asking Microsoft and Polycom corporate headquarters. Could we please offer expert this glimpse customers that we want to sell the software to

00:17:41.670 –> 00:17:50.310
And then the senior Business Review people at corporate headquarters said, well, yeah, sure. Why do you need the discipline. Oh, because it’s

00:17:51.450 –> 00:17:56.550
Competition and that was it. That was the evidence and the justification for the discount

00:17:58.080 –> 00:18:09.450
Yet again, what happens of course is the discount gets granted supposedly to be passed along to the end customer the end customer in the real world never sees the discount the discount is awkward.

00:18:10.080 –> 00:18:20.610
And very sour patch for the bribe to the end user who is the Assistant Minister of what whatever in some foreign country.

00:18:22.110 –> 00:18:29.520
So that is a very common sort of a thing. That’s a very common scam. But what it is, it’s always the same request is we need in

00:18:30.540 –> 00:18:41.490
This going on with Microsoft’s they specifically wanted with countable. I think was 7.2%. I don’t know why point 3% would have triggered more red flags, but

00:18:41.790 –> 00:18:42.540
Whatever they

00:18:42.810 –> 00:18:45.600
Are the more the more the more real, it must be

00:18:45.600 –> 00:18:47.640
Right. It could be. Yeah.

00:18:49.170 –> 00:18:59.100
They specifically said they they will always come and they’ll ask the parent company. Can we get this discount and then the parent company will say, well why competition.

00:18:59.580 –> 00:19:11.940
But there’s no digging into. Is that actually true. And really what you need. If you want to govern this problem. Well, is you need to grant these discounts on a case by case basis.

00:19:12.330 –> 00:19:19.470
Where the reseller provides hard evidence of why do we need this discount for this specific customer

00:19:20.190 –> 00:19:35.310
What else have we heard. Can we get that evidence can put it into a file, and we have all of this documented so that if some government regulator asks about the transactions, we can show that we did our due diligence on giving this discount

00:19:36.180 –> 00:19:47.670
Which did not happen with Microsoft and Polycom, they had like some sort of a senior business conduct desk at headquarters. That would just say, Yeah, sure, competition, go ahead and take a discount

00:19:49.020 –> 00:19:56.550
Out I I don’t know all the ins and outs of every piece of financial software out there, but I do know that there are

00:19:57.030 –> 00:20:10.350
Plenty of financial software that would let you collect all of this data and hold it in a single repository. So the evidence can be contained with the transaction in the discount. You want to give

00:20:11.100 –> 00:20:19.680
But you need to do that. I’m not necessarily saying it easy, although it is easier today than it would have been in like 2009 or 2011

00:20:20.430 –> 00:20:24.990
But that’s the sort of stuff that you need to think through, so now we’re at a

00:20:25.500 –> 00:20:41.340
regulatory compliance issue where the solution is going to be checking the accounting policy or, you know, what are the evidence standards we want, and it’s it system. We actually have the IT systems to gather this data reliably and store it in case we face a regulatory review.

00:20:42.630 –> 00:20:48.960
It all makes sense when you spell it out like that. But if you’re just an ethics and compliance lawyer who is worried about due diligence.

00:20:49.620 –> 00:21:01.140
On temp and third party governance as a content may not necessarily have the sophistication around those specific issues because they don’t teach this stuff in law school. They think law and law school.

00:21:01.830 –> 00:21:09.270
So it can be very difficult for some companies route. This is the right approach to govern third party West’s around on corruption. Yeah.

00:21:09.780 –> 00:21:13.920
Well, I think in both of these example that you gave with, you know, Microsoft Polycom

00:21:15.000 –> 00:21:27.630
It doesn’t appear that those companies were knowingly right complicit with this, but the fact that, you know, again, they were still held liable for it because

00:21:28.050 –> 00:21:38.580
They didn’t maybe ask as much in the due diligence as they should have. Right. They just accepted the extra discounts and all why competition. Okay, that sounds good.

00:21:39.090 –> 00:21:44.040
Right, that a lot of times you can unwittingly kind of be be pulled into these things.

00:21:44.880 –> 00:21:51.600
But like you said, you know, it’s like will you know any so can maybe for people to learn. Anytime there’s like

00:21:52.260 –> 00:21:58.980
Significantly favorably favorable pricing two different people, or like that. If you’re doing a reseller model.

00:21:59.310 –> 00:22:03.630
You know where you’re selling to them. They’re selling to the customer. So you don’t actually see the end stuff.

00:22:04.020 –> 00:22:16.470
Yeah. Any discounts. You’re giving you don’t know where that’s going because there’s a good chance they’re probably still charging their end customer full price, but they could be using that money then for whatever whatever they choose to do right

00:22:16.530 –> 00:22:17.970
That that is very true. Yeah.

00:22:18.390 –> 00:22:23.160
So variations in pricing and and especially when you get these

00:22:24.360 –> 00:22:30.090
Exceptions when it comes to pricing. Those could be some areas where some of this stuff could be hidden.

00:22:31.980 –> 00:22:36.150
Yeah, which again. Well, there’s two examples of that’s exactly what happened there.

00:22:37.530 –> 00:22:46.320
Which brings us to quad graphics where they had an enforcement action. I want to say it was September 27 or to the very end of September.

00:22:48.360 –> 00:22:56.550
Where this this enforcement action is just you have to sit back and Marvel on it at a macro level.

00:22:57.780 –> 00:23:06.270
Quad graphics violated probably every block and tackle compliance process. You should have in the book.

00:23:06.810 –> 00:23:13.380
They messed up. If you’re diligent they messed up on investigation they messed up on sitting strong anti corruption own

00:23:15.000 –> 00:23:26.730
What specifically happened was I give you a great example. So quad graphics sales, marketing services printing services and all this and they had an operation in Peru.

00:23:27.270 –> 00:23:35.910
That were bidding on a Government Printing contract in Peru and Peru is a highly corrupt country so no surprise.

00:23:36.270 –> 00:23:51.240
The Peruvian government official wanted to bribe. So the local quad graphics business unit quad Peru arranged to funnel to bribe to the government official through four sham vendors

00:23:52.650 –> 00:24:07.920
Three of which were in the same physical address and all four were owned by the same person. So any modicum of due diligence would have turned up but this smells like Deadpool. And if this is not cool.

00:24:08.370 –> 00:24:17.760
Well, they didn’t do it. Yeah. And because and because with that matter who it was that those were actually in the records. Right. I mean this this is one of those examples where they were just totally sloppy because

00:24:18.090 –> 00:24:30.960
You know, a lot of companies do run you know vendor matches, you know, and in some of these different tasks that would hopefully identify that right. Hey, we’ve got four vendors that have the same physical address where you will lie right

00:24:31.200 –> 00:24:45.090
Exactly but and they weren’t even trying to hide it in the records. I mean, if somebody would have done that or I think if I remember right from were talking before they were even like duplicate invoice numbers right there were the same, same invoice numbers.

00:24:45.150 –> 00:24:47.910
Being Pat, they were, I think, literally duplicate

00:24:47.940 –> 00:24:59.100
invoices. I know that they were duplicating invoice numbers but i i the fact patterns or in this case we’re long so I’m a little fuzzy and all details, but I’m pretty sure it in several instances.

00:24:59.400 –> 00:25:06.930
They were the exact same invoice about why wouldn’t they be if it’s the same guy and he’s living in the same address, but it’s a sure yeah

00:25:07.710 –> 00:25:15.930
Duplication all around. But you’re right. I mean, they just, they didn’t catch even that sort of model on basic block and tackle impact corruption measure didn’t work.

00:25:18.540 –> 00:25:27.120
What else that had happened here. So I really enjoyed this was that by this these bribes were happened early 2010

00:25:27.840 –> 00:25:46.500
So by 2013 ride payments worried, some of the local quad per room people enough that it took their concerns to the Latin America finance director for quad graphic to is a US resident and working in the corporate parent here in the United States.

00:25:47.670 –> 00:25:58.680
And they showed this person the invoices that were questionable, they said, you know, we’re not really sure what to do here. The US executive and this I’ll quote directly from the

00:25:59.310 –> 00:26:12.240
Enforcement Order advise the Peru finance managers do not forward any more invoices directly to him, him being the US guy and then he would look into that matter. And then of course never looked back into it.

00:26:13.500 –> 00:26:22.980
So that was in 2013 by 2015 that quad Peru finance measure manager who had some concerns and went to the boss. What do we do

00:26:23.400 –> 00:26:37.350
Don’t send me any more invoices I’ll look into it and then he never did two years later, a new quad Peru finance manager is there. He also has concerns, he goes back to the same us finance manager.

00:26:37.890 –> 00:26:47.430
And it says all over again. We have concerns and now the finance manager goes to legal and then it becomes a thing, and now suddenly we’re self disclosing and we’re off to the races.

00:26:47.790 –> 00:26:55.110
But in 2013 this us executive says don’t send me any more evidence, I promise I’ll look into it and then in 2015

00:26:55.440 –> 00:27:04.920
Now he actually looked into it. So then now we have really a failure of follow up. I would say a failure of personnel of failure of the tone of, I don’t know how close he was to the point

00:27:05.460 –> 00:27:18.210
Out that there was not a good phone wherever this person was so we had more failures of not taking the Dell vacation seriously because I think the more troubling, then the duplicate invoices.

00:27:19.080 –> 00:27:24.630
Well, I think, from it because that’s where you know because they didn’t do anything about it for two years.

00:27:25.200 –> 00:27:38.370
Yeah, you know, again, this is, this is one of those things. So, you know, especially if you’re the compliance person or the audit person, any, any and this has happened to me. I don’t know how many times in my career. Anytime somebody says, I’ll look into it. Don’t worry about it.

00:27:39.090 –> 00:27:47.760
Well, that’s just like a huge red flag. Yeah. You know, it’s like okay well you look into it. But guess what, I’m going to follow back up with you next month and see what you did.

00:27:48.540 –> 00:27:58.980
Right, so it was it was not only a failure on on the you know the the US finance director not following up but maybe those other people should have followed up as well. So

00:27:59.370 –> 00:28:05.700
You know, if you’re the compliance or auditor and somebody tells you that your spidey senses should go up right away. Right.

00:28:05.790 –> 00:28:06.900
This is a should

00:28:07.020 –> 00:28:07.650
They should it

00:28:09.210 –> 00:28:17.010
You know, so now you get into all sorts of questions about what is this company’s culture of compliance and tone at the top and

00:28:17.730 –> 00:28:27.660
That’s. Those are questions that US prosecutors are going to ask and when they’re asking those questions you have a much bigger and more serious problem, then how do you not get duplicate invoices.

00:28:28.680 –> 00:28:33.120
So yeah, you’re, you’re spot on with what you’re saying here. Yeah.

00:28:33.150 –> 00:28:40.710
Because again, if they start asking those questions about culture of compliance, all of a sudden that totally goes different right i mean

00:28:41.250 –> 00:28:51.270
If you from the US Federal sentencing guidelines, kind of get thrown out the window at that point. And it’s just you’re going in naked. They can pretty much do to you, whatever they want to do.

00:28:51.630 –> 00:28:59.310
I mean, look, if you’ve got some sloppy controls their sloppy i t systems and you miss duplicate invoices that is unpleasant.

00:28:59.970 –> 00:29:02.820
But that is like an IP failure and maybe a corporate settlement.

00:29:03.750 –> 00:29:11.520
If prosecutors start getting it into their head that somebody is not taking this seriously. Then suddenly we’re looking at personal indictments

00:29:11.850 –> 00:29:21.600
People getting fired people losing their licenses. There’s only so many people who are going to fall into that and you listener, whoever you may be like you don’t want to be on that radar screen.

00:29:22.560 –> 00:29:28.500
So that’s when you see these things suddenly become much more serious is when they think they have a bad phone up a pop or they’re not making a

00:29:29.460 –> 00:29:38.430
Call to seriously that can lead to much larger fines and it can lead to a personal charges against various executives and you don’t want to be there.

00:29:39.480 –> 00:29:46.200
I had one other big quad graphics issue. I wanted to raise, but I also have one funny quad graphic.

00:29:48.570 –> 00:30:03.150
Aside from all of this fixing government contracts or graphic also was trying to bribe judges in Peru to fix a tax case where they were paying $20,000 to the district judge dining room the case and

00:30:03.870 –> 00:30:13.860
They lost. So first off, the guy who was fixing it. They were using a corrupt law firm down there refunded the money to quad Peru, because they didn’t fix the case.

00:30:14.880 –> 00:30:24.270
But then they had a deal. So then the price of the bribe went up from 20,000 50,000 because when you’re fixing and appellate case, of course, it’s more expensive.

00:30:25.170 –> 00:30:39.180
Or higher up the food chain. I bet you could read the story and like, You gotta be kidding me. All the way down. And there’s even more to the quad graphic place. I won’t get into, but the big issue. I always thought stood out to me but quad graphics was

00:30:40.650 –> 00:30:48.840
This was the company that came into being on graphics for a long time was privately held family owned for decades.

00:30:50.310 –> 00:31:11.520
And then 2010 it purchased a much larger publicly traded Canadian provinces and then suddenly quad graphics becomes this global behemoth and they’re in countries all over the world. And they’ve got 16,000 employees and this company was not prepared for life as a public will pay them.

00:31:12.600 –> 00:31:16.080
That’s what trip them up. They had no compliance program.

00:31:17.130 –> 00:31:25.650
When they did finally hire a compliance person. It was at the director level that person had no compliance or technology experience.

00:31:26.040 –> 00:31:34.530
And it took them years and years to catch up and those years and years. That’s when all this stuff in Peru happened and it happened in several other countries as well.

00:31:35.640 –> 00:31:41.250
So I saw that more as like a failure to assess your skill dziedzic risks.

00:31:41.760 –> 00:31:50.220
That was the original sin here and all this other funny stuff about fixing tax cases in Peru and there was issues in Cuba and China and everywhere else.

00:31:50.580 –> 00:32:02.340
All symptoms of the underlying flaw, or the underlying illness with that board and the C suite and frankly, whoever was providing some audit or risk assessment services.

00:32:02.910 –> 00:32:14.040
At that time, like they didn’t say your compliance posture is going to change radically when you do this, and you need to plan now and that didn’t happen. Look where they are. Mm hmm.

00:32:14.520 –> 00:32:19.050
Well, I think that’s that that’s very common with lots of companies, right, I mean sometimes

00:32:19.770 –> 00:32:26.670
Your growth can be so quick that you’re not really prepared from an infrastructure standpoint. But you know, I really appreciate that you brought up. I mean,

00:32:27.000 –> 00:32:36.270
Probably the biggest thing, like you said it was actually a failure to assess the strategic risk properly and I see this over and over again when companies get themselves in trouble.

00:32:38.670 –> 00:32:51.690
Too much of the time we’re focused down at the risk level at the process level, you know, lower down in the organization that we we forget are like totally overlooked, some of the, what should be glaring strategic risks.

00:32:51.900 –> 00:32:52.530
Right, so

00:32:52.770 –> 00:32:59.970
So again, I mean, if you look at this, it’s like, you know, they start off as a smaller company here in the US. Now all of a sudden they buy this Canadian company.

00:33:00.330 –> 00:33:09.480
They’re in lots of different countries. It’s like, okay, hold it. Somebody at that point should say, hey, now we’re going to have to operate in 15 countries, instead of one.

00:33:09.930 –> 00:33:17.880
Maybe that raises our risk a little bit, maybe we have to do things a little different but apparently nobody really asked that question.

00:33:18.330 –> 00:33:27.840
You know, or the same thing of, hey, we’re just a private company. And now we’re going to go public. Well, again, somebody should be asking questions. What is that going to do. What’s that different. Right.

00:33:28.410 –> 00:33:34.110
If you’re, you know, if you’re dealing with government you know you’re doing government contracting

00:33:34.590 –> 00:33:40.260
You know, because again, as we talked about kind of the begin with I mean SEC is serious about FCP a stuff right

00:33:40.800 –> 00:33:47.970
Well FCA usually relates to bribery and corruption which who’s the other side of that, it’s usually government officials.

00:33:48.330 –> 00:33:56.640
So you know if your organization doesn’t do any anything with the government. Okay, your risk is probably lower. But if you are

00:33:57.180 –> 00:34:06.480
And you’re doing business in some of these higher risk countries with the government, you know, like we’ve had the example of Peru.

00:34:07.350 –> 00:34:20.190
Somebody’s got to realize that there’s probably some funny business going to be going on because there’s there’s certain jurisdictions in the world that you just can’t get anything done without playing by the rules and, you know,

00:34:20.250 –> 00:34:30.840
It would also strikes me as I agree with everything you say. But you are getting people to try to think about answers to these questions, but it raises the more fundamental mistake was that

00:34:31.740 –> 00:34:45.780
An event happened in quad graphics life and nobody stop say wait. What questions should we be asking. As a result of this change from privately held us company do publicly traded global thing know

00:34:46.980 –> 00:34:55.110
That function asked should be there are four star to audit are anti corruption Rex, the SEC enforcement action specifically says

00:34:55.530 –> 00:34:59.370
That the internet a lot of function did not step up with SAS me and quite corrupted

00:35:00.030 –> 00:35:05.010
Now, that’s all the questions that you were just asking. And you know the answers very but

00:35:05.430 –> 00:35:21.060
Nobody took that moment to say, now it’s the time asking questions, we just went through a big thing where we’re about to go through a big thing. But we even have been better. But nobody asked that the right questions at the right time, or thought and now it’s the time off.

00:35:22.110 –> 00:35:27.330
And that’s, that’s the through line for all of quad graphics, many, many compliance laws as

00:35:28.290 –> 00:35:30.000
Well, and it’s not just that. I mean, again, they’re

00:35:30.030 –> 00:35:38.430
They’re just one example. It happens to be in the news recently but I mean this this story we’ve heard how many. I mean, maybe not this egregious

00:35:39.600 –> 00:35:46.980
You know, in all of his different aspects but but these these different sub storylines. You hear all the time, you

00:35:47.250 –> 00:35:50.190
Live with companies that are making some of these same mistakes so

00:35:50.490 –> 00:35:54.600
You could shift the conversation or shift the example to say

00:35:55.650 –> 00:36:06.960
That you are a consumer sales business and you’re going to start offering online channels for sales and that is a big change. And you need to stop and ask what are our new cyber security risks going to be

00:36:07.440 –> 00:36:22.680
I don’t know what they’re going to be, but really I just changed the word anti corruption to cyber security, but exactly the same stuff hold true in both cases, big life change for the organization and nobody took the climate, say, what are the

00:36:24.450 –> 00:36:26.850
Rules and that’s that’s what I do.

00:36:28.050 –> 00:36:33.090
Well that’s and that’s why, again, hopefully you know us talking about this today. We’ll get some people

00:36:33.570 –> 00:36:43.650
You know, to think about it. I guess for me especially as kind of a career auditor. The thing that I i hate the most about the quad graphics thing is that damning

00:36:44.190 –> 00:36:53.940
Statement in there that internal audit didn’t, didn’t do anything. Right. I mean, because that’s actually in the government report, I think you were saying. Right. Yeah.

00:36:54.000 –> 00:36:58.080
There was no internal audit assessment of anti corruption risks.

00:36:58.110 –> 00:36:58.260

00:36:59.730 –> 00:37:07.560
Yeah, and I mean like if from there are the rest is just variations on the theme. The rest is just, well, what else was going to happen.

00:37:08.040 –> 00:37:17.910
You know, I didn’t know exactly that it would happen in this way, but you could see from a mile away. If you go through a big change like that and we don’t assess the risks when I hit something.

00:37:18.300 –> 00:37:25.470
It happened to be with Peru and China in Cuba for this company, but it’s going to be something else for some other company if they don’t do this.

00:37:26.250 –> 00:37:38.280
Yeah, so it’s still about it’s asking the questions, you know, not taking, you know, just kind of the pat answer, like we said, you know, the Sanofi issue of, you know, why do you need to offer it well because you know

00:37:38.880 –> 00:37:39.900
Competition. Yes.

00:37:40.170 –> 00:37:42.630
Or no, but it was Microsoft Polycom right the extra

00:37:42.840 –> 00:37:53.520
Was right was was for them, you know, or stuff with Sanofi with those credit notes. Okay, well, what is a credit out exactly how can you use that. What would you use that for

00:37:53.850 –> 00:38:00.090
Are they convertible to cash right. That’s one of the reasons why I’m coupons coupons are not convertible for cash right

00:38:00.120 –> 00:38:02.100
Because there’s, there’s a whole other

00:38:03.360 –> 00:38:12.720
Thing that can go on behind that and controls that have to be around those if things like that can actually be converted for cash because it’s an easy way for people to steal. Yeah.

00:38:13.080 –> 00:38:22.740
But, and even to your point about maybe using coupons instead of notes that could be converted into cash. It requires the accounting in audit experience.

00:38:23.430 –> 00:38:30.870
It’s to know. Well, we could solve the problem this way with the compliance perspective. No, we need to solve this, because the SEC is enforcing it.

00:38:31.260 –> 00:38:44.910
And the to have to come together to be able to figure this out and then get your company in a position that it, you know, avoid these sorts of trouble because they’re not going away the SEC is not going to stop enforcing this. Yeah.

00:38:48.000 –> 00:38:55.290
Well, Matt. We’ve given people a lot of stuff to think about today and you know some some good I think actual

00:38:55.740 –> 00:39:00.600
You know, real life stuff. I know sometimes when we talk about some of these concepts. It’s

00:39:00.930 –> 00:39:10.470
It’s a little bit in the abstract, so we actually did talk about some actual companies, some of the things that they’re going on with. And again, this is all public information. So it’s nothing. It’s really confidential.

00:39:11.280 –> 00:39:17.940
But it’s it’s things that people are actually dealing with. And so again, you know, for you if you’re listening to this.

00:39:18.330 –> 00:39:23.700
You know, think about how do some of these things that we talked about today, how might they relate back to your organization.

00:39:24.060 –> 00:39:39.210
What questions may you need to ask what you know internal controls are obviously an important thing, right, because, you know, again, the SEC is using that as part of their, their basis for determining you know if they’re going to come after you and how they’re going to come after you. So

00:39:40.500 –> 00:39:48.930
And audit risk and compliance professionals play. And I think an increasingly important role in organizations.

00:39:49.950 –> 00:39:54.690
Because the fines get bigger and bigger and the penalties and the

00:39:55.950 –> 00:40:05.460
Kind of cost of doing business. It’s not, it’s not the right word but effectively like, you know, the government imposed sanctions, if you will.

00:40:05.910 –> 00:40:15.720
Almost putting companies out of business, are no longer allowing them to operate a business is going to continue to be a bigger and bigger risk as we move forward.

00:40:16.080 –> 00:40:16.950
Yeah, I think.

00:40:17.280 –> 00:40:18.060
So instead,

00:40:18.090 –> 00:40:32.610
It’s going to be a drag on corporate operations and efficiency and yeah and all the other attendant reputation harm the civil litigation all the other headaches. Like, it all boils into exactly what you’re saying. Yep. Yep, exactly.

00:40:33.090 –> 00:40:42.000
Well, hey, Matt, I appreciate you taking the time with me today to go through this and to share, share your wisdom with everybody that’s out there.

00:40:43.140 –> 00:40:44.580
It’s been a lot of fun, Jason. Thank you.

00:40:44.850 –> 00:40:45.540
Alright thanks man.

Leave a comment