IT Pro Portal website reports that a former SAP executive has pleaded guilty to bribing government officials in Panama to win technology contracts for the German software company. According to the U.S. Department of Justice, Vicente Eduardo Garcia, former vice president of global and strategic accounts, paid US$145,000 in bribes to one Panamanian official and promised bribes to two other officials to influence the country's social security agency to purchase US$14.5 million in technology from an SAP reseller based in Panama. Moreover, Garcia admitted to setting up a slush fund that enabled the reseller to purchase software from SAP at a steep discount and then sell the software for a higher profit. In addition to the DOJ charges, Garcia has agreed to a settlement with the U.S. Securities and Exchange Commission in which he will pay back US$85,965 in profits that he gained from the scheme.
Most large international organizations, in an effort to prevent bribery, corruption, and the contravention of the growing number of anti-corruption laws such as the U.S. Foreign Corrupt Practices Act (FCPA), have made significant investments to establish ethics and compliance programs. These programs typically include:
- Creating the position of chief compliance officer, who reports to the board of directors.
- Appointing compliance officers in all of the organization's business units and regional offices worldwide.
- Establishing a dedicated ethics and compliance team.
- Strengthening internal controls and procedures, especially in areas susceptible to manipulation in a bribery or corruption scheme.
- Implementing a code of ethics and an ethics and compliance hotline.
- Producing a dedicated anti-corruption manual.
- Conducting annual compliance training for all employees, along with a special focus on those working in strategic roles.
- Performing periodic audits of compliance and assessments of the adequacy of controls in key areas.
The DOJ and SEC websites list an ever-growing list of large international companies and executives that have been charged with FCPA violations. The Garcia case raises several concerns for organizations:
- A senior SAP vice president, in a 2013
Forbes.com article declared, "Compliance programs like the SAP Governance, Risk, and Compliance solution should be a company's first line of defense, especially considering that many employees aren't even aware they are breaking the law. Nevertheless, when it comes to FCPA compliance, the buck stops with you: your organization, your employees, your compliance program." That's well stated, if a little ironic given this case. It also highlights the fact that companies that sell computer hardware, software, or other technology solutions are just as likely to receive scrutiny for FCPA violations as any other type of company, and they should be prepared to demonstrate they have a good grasp on this fraud problem.
- More generally, boards of directors and executive suites should be particularly attentive. Most FCPA cases involve charges against companies, not individuals. While it appears that the DOJ organized its case against Garcia on the premise that he deliberately circumvented SAP's internal controls, the DOJ and SEC have not declared whether they will pursue charges against the company. Corporate culture and standards of business practices are critical factors in setting expectations for ethical behavior, and when a high-level official commits a fraudulent act, it would be fair to assess whether those factors were a systemic influence.
- At a minimum, bribery and corruption is a high-risk category for companies doing business in foreign countries, and a continuous review of internal controls, effective monitoring, and regular audit work should be a priority focus. The role of third parties, such as consultants, agents, channel partners, and distributors, in the conduct of sales and financial transactions is a particularly high risk deserving attention. Indeed, the DOJ and SEC have identified the use of third parties as a significant factor in most of their cases.
- In the Garcia case, it's hard to accept that for more than four years sham contracts and false invoices were used to disguise bribes and that a slush fund was used to sell software to a reseller at an 82 percent discount without raising a red flag. The standard for robust third-party due diligence needs to keep evolving as part of an organization's compliance program. That should include both strengthened controls over executive delegations of financial authority, financial funding structures, onboarding, third-party background checks, and monitoring processes, as well as attention from the organization's CAE when the topics of fraud and risk assessments are discussed.