|
|||||
|
|||||
Search Software Personal Help |
Voluntary compliance: protection or self-incriminating road map?By Janet S. Greenlee and David BukovinskyIn Brief
Compliance Programs Should Help
Based on the first four years of experience with the Organizational Sentencing Guidelines (OG), the authors present an overview of their effect on various organizations: small, large, for profit, and not-for-profit. The bottom line question is: How does an organization best protect itself from the consequences of these Federal Sentencing Guidelines? Presented is an effective compliance program that should serve as a starting point for organizations to develop and implement their own individualized compliance programs. While much has been made of the benefits of such programs, they must not be seen as a guaranteed way to escape penalties under the OG. Such programs are expensive, and the evidence to date shows that individual programs are frequently judged to be ineffective. In fact, the information voluntarily disclosed by organizations as part of these compliance programs can be used by the Federal government as a road map to identify and prosecute violators. Despite these drawbacks, voluntary compliance programs are one way to provide reasonable assurance of preventing illegal acts and reducing the penalties resulting from these acts.
In 1991, the United States Sentencing Commission's Sentencing Guidelines were amended to bring organizations convicted of violating Federal laws under its umbrella. The penalties are severe and can include up to $290 million in fines, probation, community service, and restitution. Since a 1993 National Law Journal survey of corporate counsels found that two-thirds of their companies operated in violation of various Federal regulations, it appears that significant latent liabilities may exist.
Companies have attempted to mitigate their potential liabilities by establishing compliance programs. The OG recognized the importance of these programs by stating that an organization with an effective compliance program in place at the time of a violation may experience a substantial reduction in penalties. However, these programs are not risk free. Information gathered as part of a compliance program may be used to identify and prosecute violators.
The following paragraphs discuss the application of OG during its first four years of operation (1991-95), describe the attributes of an effective compliance program, and present some of the potential drawbacks of these programs.
The United States Sentencing Commission was established by Congress in 1984 as part of the Comprehensive Crime Control Act. Its purpose was to reduce any "unwarranted sentencing disparity among offenders with similar characteristics convicted of similar criminal conduct while permitting sufficient judicial flexibility to account for relevant aggravating and mitigating factors." As part of the Department of Justice, it does this by developing and overseeing Federal court sentencing policies and practices and by promulgating sentencing guidelines. In 1991, these guidelines were amended to include organizations convicted of criminal activities. The goals of the OG are "to provide just punishment, adequate deterrence, and incentives for organizations to maintain internal mechanisms for preventing, detecting, and reporting criminal conduct." The OG apply to 80% of all Federal offenses typically committed by organizations, including violations in the areas of government contracts, employment practices, securities law, immigration, occupational safety and health, antitrust, taxation, advertising, and the environment.
Between 1991 and 1995, 280 organizations were sentenced under the aegis of the OG. Since the OG were made applicable only to organizations sentenced for acts occurring after November 1991, this number is sure to increase rapidly. The most common convictions have been in the areas of fraud (30%), antitrust (32%), environmental (12%), and tax (9%).
The OG apply to all "corporations, partnerships, associations, joint stock companies, unions, trusts, pension funds, unincorporated organizations, governments and political subdivisions thereof, and nonprofit organizations." Although penalties apply to all organizations, only three percent of the sentenced organizations have been openly traded. Ninety-five percent were closely-held organizations, and the remaining two percent were quasi-governmental or benevolent organizations. Seventy-nine percent of the sentenced organizations employed fewer than 100 persons. More than fifty percent had been in operation for less than 15 years. Thus, the penalties seem to have been applied primarily to small, closely-held, recently established organizations.
Organizations sentenced under the OG can be subject to fines, restitution, probation, and community service requirements.
Fines. Fines are assessed first by calculating a base fine which is the greatest of the victim loss, organizational gain, or the U.S. Sentencing Commission's Offense Level Fine Table. Fines assessed using this table, range from $5,000 to $72,500,000 per offense. Sentencing judges can depart from this base fine by assessing a culpability score. The fine can be increased based on the size of the organization, involvement of top officials, previous regulatory violations or criminal convictions, or obstruction of justice. The fine can be decreased if the organization has an effective compliance system in place that detects and prevents violations, voluntarily discloses the violation(s), cooperates with the authorities, or accepts responsibility. The total penalty can escalate rapidly. For example, an organization convicted of a single offense with a maximum base fine of $72,500,000, no downward departure reasons, and the maximum upward departure reasons, could see its total penalty reach $290,000,000. This could easily double or triple in the case of multiple convictions.
Between 1991 and 1995, 223 organizations received sentences that included a criminal fine. Seventy five of these organizations received increased penalties because of involvement or tolerance of criminal activity by personnel with substantial authority. Eleven organizations were found to have obstructed justice by falsely testifying to the grand jury, lying to investigators, or altering documents. Penalties were reduced for 87% of the defendants because they cooperated with the government or self-disclosed the violation(s). The average fine assessed was $376,028.
Restitution and Community Service. In addition to fines and probation, convicted organizations can be required to compensate "identifiable" victims for any harm caused by the violation(s), or perform community service that alleviates the harm caused by the violation(s). Between 1991 and 1995, 68 organizations were ordered to pay an average restitution of $279,175.
Probation. An organization can be sentenced to probation for many reasons, including the catchall reason, "necessary to accomplish one or more of the purposes of sentencing . . ." This penalty can be even more burdensome than either the fine, restitution, or community service. Probation can last up to five years, and can require the organization to allow Federal probation officers to monitor its operations and to submit to regular or unannounced examinations of its books, records, and premises. Sixty-one percent of those organizations sentenced under the OG between 1991 and 1995 received an average of 3.3 years' probation.
Additional Penalties. Organizations may be penalized in additional ways. They can be blacklisted from future Federal contracts and suspended from present government contracts. Further, the payment of criminal fines is not deductible from income for income tax purposes.
Organizations may be able to avoid or reduce penalties associated with the OG by having in place a program that combines prevention with detection and appropriate response to violations. Under the OG, such programs are to be taken into consideration by the sentencing judges. Effective compliance programs are viewed by the Sentencing Commission as one way to reduce the number of violations committed. The OG encourages organizations to implement compliance programs by using a carrot-and-stick approach. The carrot is the reduced penalties received by an organization if a violation does occur despite the existence of an effective compliance program. The stick is the requirement that an organization without such a program can be required to adopt one designed and approved by the government as part of its sentence. Twenty-nine organizations, between 1991 and 1995, were required to implement compliance programs as part of their sentences.
The benefits of an effective compliance program are twofold. First, organizations with effective compliance programs should experience fewer violations. Second, if they break the law in spite of these programs, but promptly report the infraction(s) and cooperate with the authorities, any fines and penalties could be reduced by as much as 95%. For example, an organization facing the maximum base fine of $72,500,000 with no upward culpability adjustments, could see its total fine reduced to $3,625,000.
As with any internal control system, an effective compliance program must have both prevention and detection aspects. To be effective, the program need not ensure that all violations will be prevented or detected, but should provide reasonable assurance of doing so. The OG list seven attributes that must be present in any compliance program: standards and procedures, compliance oversight, care in delegation, effective communication, monitoring and reporting, consistent enforcement, and appropriate response.
Standards and Procedures. The organization must establish standards and procedures that are reasonably capable of reducing the prospect of criminal conduct. For many organizations, a well-written code of conduct or ethics may be a worthwhile starting point for developing standards and procedures to help diminish the likelihood of misconduct. The code of conduct could serve as a guide for developing more detailed procedures to ensure compliance with specific Federal regulations such as those relating to hiring policies, workplace safety, or the handling of toxic materials. Standards and procedures must initially be developed for the entire organization, then refined and operationalized for specific departments.
Compliance Oversight. Specific high-level personnel must have overall responsibility to oversee compliance. Support for the program must come from the highest levels of the organization if the proper attitudes toward compliance are to become part of the organizational culture. Oversight for the program should be assigned to the board of directors, audit committee, or other high level of management. A compliance program will not carry as much weight if middle or low-level personnel are assigned oversight responsibilities but lack the authority to implement the procedures across all levels of the organization.
Care in Delegation. The organization must avoid delegating substantial discretionary authority to anyone the organization knows or should know has a propensity to engage in illegal activities. Proper background checks of employees in key positions are almost a necessity if the organization wants to establish an effective program. Individuals with a history of illegal activities or a proclivity toward such actions pose three threats to the organization. First, such employees are a threat to the design and implementation of the compliance program. Individuals with a proclivity toward illegal acts may intentionally design into a program weaknesses which can later be exploited. Second, unethical employees in responsible positions may use their authority to circumvent or override procedures and controls, or tolerate illegal acts of subordinates. If an override is tolerated, or covered up by falsification of records, the organization may face additional penalties. The OG call for increased penalties for tolerating, condoning, or willfully ignoring illegal acts, or obstruction of justice as would occur with falsification or destruction of records. Finally, these individuals are not effective role models for their subordinates. An individual with questionable ethics can hardly be expected to motivate other employees to comply with the organization's policies and procedures.
Effective Communication. The organization must effectively communicate its standards and procedures to all employees or other agents, including independent contractors, through training programs or publications. Compliance cannot be a lofty ideal of management. A compliance program can only be effective if it is understood and practiced by all employees and other agents, not just those in responsible positions. Hourly employees can cause serious problems for the organization, for example, by committing software piracy, selling illegal drugs on company property, or falsifying records on emissions. Therefore, all employees should receive adequate, ongoing training on the company code of conduct and specific compliance topics related to their duties. Organizations should also develop, distribute, and periodically update a procedures manual containing such things as applicable laws and regulations, copies of permits, and names of responsible individuals to contact in case of an emergency.
Monitoring and Reporting. The organization must take reasonable steps to achieve compliance with its standards by implementing monitoring and auditing systems that provide reasonable assurance that employee criminal conduct will be detected, and by publicizing a reporting system whereby employees and agents may report criminal conduct by others. These systems serve at least two purposes. First, such systems may expose illegal acts allowing the organization to deal with the perpetrators and cooperate with the proper authorities. Such actions on the part of the organization may reduce penalties by earning the organization downward adjustments in the culpability scores used by the OG. Second, well-publicized monitoring and auditing systems may dissuade individuals from committing illegal acts in the first place by instilling in them a fear of exposure.
To assist in monitoring compliance, organizations should establish some method for employees to report instances of noncompliance. Such a reporting program must protect the whistle-blower from retribution. Organizations may want to consider instituting a confidential reward program for information relating to noncompliance with applicable laws or regulations. Monitoring, auditing, and reporting mechanisms alone will not provide maximum protection from the OG. The organization must be prepared to cooperate with the proper authorities once a violation has been discovered.
Consistent Enforcement. Standards must be enforced consistently and must invariably discipline employees who fail to report an offense. Employee discipline may run the gamut from warnings to dismissal, depending on the severity of the offense. If necessary, the employee should be turned over to the proper authorities. For less serious infractions, the organization may impose mandatory training sessions on compliance-related issues in place of, or in addition to, other penalties. Organizations should also consider penalties for the failure to report infractions. Such conduct could be construed by the courts as tolerating, condoning, or willfully ignoring the infraction. Penalties for failing to report illegal acts, along with rewards for reporting such acts, will serve as further evidence of management's resolve to comply with applicable laws and regulations. Management should strive for consistency in the assessment of penalties. Failure to do so may give employees the notion that certain acts are punishable while others are not, or that enforcement is so spotty that the expected rewards from performing illegal acts may outweigh the expected penalties.
Appropriate Response. After an offense has been detected, the organization must take reasonable steps to respond appropriately, including reporting the offense immediately to the appropriate authorities, and to prevent further offenses by making any necessary modifications to the compliance program. This final guideline for an effective compliance program recognizes that no program can be completely effective. Therefore, organizations should implement procedures for dealing with any illegal acts that do occur. Such procedures should clearly identify specific actions to be taken so that hasty decisions made under pressure will not add to the organization's troubles. Organizations must self-report any illegal acts to authorities, cooperate with the authorities, and accept responsibility for the actions of their employees in order to earn the greatest possible downward departure in penalties. An appropriate response to the commission of an illegal act goes beyond reporting the act and cooperating with the investigation. An effective compliance program would involve the additional steps of identifying how the act was able to occur and modify the compliance and control procedures to reduce the possibility of a similar occurrence.
Individual programs must be personalized for each organization based on organization size, prior history, and industry risk. In a 1995 speech presented at the Corporate Crime in America: Strengthening the "Good Citizen" Corporation Symposium in Washington, D.C., William Swenson, deputy counsel of the U.S. Sentencing Commission, admitted that these standards are deliberately vague. The commission, he said, wants organizations to "struggle a bit, to learn what works." Unfortunately, as a result, organizations risk discovering that their possibly extensive and expensive compliance programs are ineffective only at the time of sentencing.
Effective compliance programs can significantly reduce monetary penalties. There are, however, substantial risks related to the disclosures required as part of any compliance program. These exposures come from two sources:
Lack of Confidentiality. Discovered violations must be disclosed to the appropriate regulatory agencies immediately. In states with freedom of information or sunshine laws, this information must be made available to private citizens or groups, including competitors, possibly for use against the industry or company making the disclosure. For example, if a company discovers during a compliance audit that a violation has occurred in the area of workplace safety and, as required, reveals this information to the authorities, potential litigants can use that information to file a class action suit against the firm.
This lack of confidentiality can have a disastrous impact on the firm's public image. A firm that spends a significant amount of time and money in developing a compliance program, and publicizing the possibly negative results, could find itself the object of additional enforcement actions. Further, that firm may be perceived as being above the standards of competitors who do not have such programs and, as a result, may not report violations.
Lack of Self-Incrimination Privilege. Information discovered and reported can be, and has been, used against organizations in civil and state and Federal criminal prosecutions. This can truly be a conundrum for many corporations. Attorney Mark Rasch described the situation in Corporate Compliance: Standards for the 21st Century as follows:
According to the New York Times, eighteen states have passed audit privilege legislation. In these states, organizations that voluntarily disclose violations will either not be prosecuted by state or local authorities or will see reduced penalties. However, the risk of self-incrimination remains despite any state audit privilege law. State laws do not apply to the Federal government. In a criminal prosecution, the Federal government can and has used audit results to find prosecutable violations.
The OG claim that firms with compliance programs will be rewarded with significantly reduced fines if the programs are found to be effective. Between 1991 and 1995, four organizations claimed to have compliance programs in place at the time of their offenses. The one program that was deemed effective appears to have limited applicability. It was set up in a smoking paraphernalia retail store in order to prevent violations of drug paraphernalia laws by employees. The store produced a training video that instructed employees to refuse to sell products to customers who indicated the products would be used with illegal substances. Their subsequent fine was reduced by 40%.
The remaining three programs were determined to be ineffective. One program was ruled ineffective because the president of the organization was involved in violation of the compliance oversight and care in delegation requirements of an effective compliance program. A second program was deemed nonfunctioning because the president of the company initially denied knowledge of a violation of the appropriate response provision. The third compliance program consisted of extensive policies and procedures. However, the violations took place at newly acquired properties that did not have compliance programs before being acquired and the parent company was determined to be legally responsible. *
Janet S. Greenlee, PhD, CPA, and David Bukovinsky, PhD, CPA, are assistant professors of accounting at Pennsylvania State University at Harrisburg, Pennsylvania.
The
CPA Journal is broadly recognized as an outstanding, technical-refereed
publication aimed at public practitioners, management, educators, and
other accounting professionals. It is edited by CPAs for CPAs. Our goal
is to provide CPAs and other accounting professionals with the information
and news to enable them to be successful accountants, managers, and
executives in today's practice environments.
©2009 The New York State Society of CPAs. Legal Notices |
Visit the new cpajournal.com.