The unprecedented challenges created by the COVID-19 pandemic and resulting government lockdowns could strain even the most robust compliance programs. Companies have been appropriately focused on business preservation during this time, which has led to appreciable changes in how many companies operate, whether temporarily or permanently, and has forced many companies to reprioritize their use of resources and personnel. These changes may create potential compliance gaps in existing controls and procedures, and could present new compliance risks, requiring adjustments to existing procedures and controls or the development of new processes altogether.
As 2020 comes to an end, now is an opportune time for companies to reevaluate their international compliance risk profiles and compliance programs. The U.S. Department of Justice and the Securities Exchange Commission have emphasized the need to conduct regular compliance risk assessments, particularly after events with the potential to significantly impact the business, such as the global COVID-19 pandemic. With year-end approaching, and SOX and financial audits on the horizon, companies should assess now how their compliance risk profile has changed as a result of the pandemic and associated lockdowns. This assessment should consider how current processes and controls have responded to newly created challenges and evaluate whether the existing compliance framework remains reasonably designed to detect and prevent violations of the law. Companies should use these findings to improve existing policies, procedures, and controls or, if necessary, devise new ones.
As a starting point, compliance officers should ask these questions:
- Changes to Business Operations: Did the company experience any COVID-19-related changes to business operations, such as closing facilities or offices, adjusting product lines, adopting new sales/marketing initiatives, revising procedures relating to internal investigations, targeting new customers or markets, or modifying or expanding supply chains/suppliers?
- Government Funds or Loans: Did any of the operating companies, subsidiaries, or affiliates accept government funds or loans during the crisis? If so, the programs, terms and conditions, and any required certifications or representations should be closely reviewed to ensure compliance.
- Third Party Intermediaries (TPIs): Did the company engage new agents, brokers, consultants, law firms, distributors, or other TPIs during the crisis and, if so, did the company ever bypass normal procedures based on pandemic-related exigencies? Any bypassed procedures may need to be run retroactively, and new high-risk TPI’s may need to be reexamined to ensure that any red flags in the due diligence and onboarding files can be resolved or addressed.
- Inspections/Shutdowns: Did the company interact with foreign government officials in connection with shutdown orders, and were there any disputes regarding whether the business was “essential” in certain jurisdictions?
- Controls/Approvals: Did the company engage in any new contracts with vendors? Were normal approval processes for entering contracts or approving expense reimbursements followed?
- Compliance Reporting Channels/Hotline: Has there been a decrease in compliance hotline use? Consider a review of the hotline log to ensure that nothing was missed that should have been investigated.
- Charitable Donations: Was the company directed by any government officials to make a donation, particularly by any officials in positions where they could exert influence for the company? It is also key to ensure any charitable donation policies were followed and that any donation cash/consumer goods went to the charitable or government entity itself, versus any one individual official.
In conducting this assessment, companies should also consider:
- Compliance Communications: Reintroduce company employees to key compliance functions, including training/resource materials and the confidential reporting hotline, in order to remind employees of their importance.
- Personnel/Staffing: Assess layoffs/furloughs/terminations globally and identify whether key stakeholders (whether in the business or in the compliance and finance functions) are still in their seats. Assess how those functions are being performed under pandemic conditions to gauge any impact on the enterprise’s overall risk profile, and fill any identified gaps. Assess the current state of compliance resourcing and ensure it is adequate. Similarly, identify changes in other functions that may have become even more relevant during the pandemic (e.g., accounts payable and cash management), to check whether there is an adequate compliance focus to reflect any of those changes.
- New Hires: Identify significant new hires made during the crisis. Review whether normal compliance onboarding processes have been followed. For executives, management, and personnel who have been assigned new responsibilities that might implicate compliance-related controls, contact them and introduce them to compliance.
- Performance Metrics: Consider whether the criteria used to calculate performance metrics for the company, business units, and departments were revised by corporate or local management in response to economic stress, and whether such revisions could affect the company’s books and records. For example, consider whether revenue recognition criteria have been applied consistently during the pandemic. Consider also whether accruals based on management estimates have been recorded or released without bias and consistent with the company’s accounting policies.
- Trade Compliance: Review situations where the company acts as the importer of record to determine if the importer is appropriately paying all duties – based upon correct declarations of the country of origin, classification of the good, and entered value – paying special attention to any special duties such as the Section 232 duties on steel and aluminum and Section 301 duties on imports from China.
Foley can help. Our experienced team of lawyers practicing in international government enforcement defense, investigations, and compliance are available to perform a COVID-19 “re-opening” risk assessment or, alternatively, guide companies through the process of conducting one themselves.