Top Five Corporate Compliance Challenges in 2010 for Technology Companies

The compliance risks facing the technology industry in the United States and throughout the world span a number of areas, from the ethics and legalities of business transactions to the valuation of products for duty purposes, to accounting standards, tax laws and consumer protection regulations.

Although technology firms have a long history of bringing their products and services to local markets worldwide, they often find that compliance risks can present the biggest challenge when pursuing international opportunities.

The stakes associated with increasing government compliance requirements have risen. Foreign regimes have become more mature in their strategies around monitoring and policing economic activities within and through their countries, as they seek to recoup revenues lost to the financial crisis. In addition to financial penalties, compliance failures damage hard-won reputations, impact customer loyalty and threaten regional or global plans.

KPMG LLP has deep experience serving global technology companies across our core Audit, Tax and Advisory businesses and across KPMG International’s global network of member firms. That experience has provided us with valuable insights into the compliance risks that are top of mind for technology executives and what leading companies are doing to manage them.

Here is what we see as the Top Five Compliance Challenges faced by technology companies in 2010.

Compliance Challenge No. 1: Protecting Privacy

Privacy issues at technology firms are anything but private. Data breaches (involving customer’s private information) and their associated costs of remediation and liability, as well as their toll on reputation, can and do make headlines. Complicating matters in this area is the patchwork of privacy laws and regulations that only grows as new threats and security needs are identified.

Industry-specific federal laws cover privacy concerns in areas from financial services and electronic health records to children’s privacy. The Federal Trade Commission (FTC) also enforces privacy standards and is constantly evaluating the need for additional regulation. And there are data breach laws on the books in at least 45 states.

Outside the United States, countries have enacted laws that limit or prevent the transfer of personally identifiable information (PII) to countries that don’t have adequate and comprehensive privacy laws. This is of particular interest to firms that operate globally, provide cloud computing services or that have a significant online presence, such as companies that offer social networking or Web-browser services, all of which collect vast amounts of PII.

Understand Data Life Cycle

Compliance with privacy laws requires that companies understand their data life cycle – what information they collect, how it flows through the organization, with whom it is shared, and how long it is retained – and the regulatory requirements of the jurisdictions in which they operate. Then, they can identify, design and implement effective compliance controls.

To keep ahead of the growing list of rules and standards that govern privacy, technology firms need to remain current on ongoing threats to data that will likely drive future regulation. Keeping an eye on areas of interest to the FTC will help.

The FTC has lately been exploring privacy issues associated with behavioral targeting, a practice of online advertisers who collect consumer data to better aim their ads. It also has asked the Federal Communications Commission to look at the privacy implications of a national broadband plan. This activity points to potential new standards and rules on the horizon.

Compliance Challenge No. 2: New Accounting Standards

Compliance with accounting standards is always top of mind for technology executives. This will continue to be true in 2010, and new standards from the Financial Accounting Standard Board (FASB) issued late in 2009 will have a specific impact on the way technology companies recognize revenue.

One standard, Multiple-Deliverable Revenue Arrangements (EITF 08-1), allows a company to account separately for individual products and services that are sold together as a package. It allows use of the company’s best estimate of the stand-alone selling price for each product or service. Previously, a company was prohibited from separately accounting for items sold as a group if it did not have “objective and verifiable evidence” of the selling prices of all undelivered items.

A related standard, Certain Revenue Arrangements That Include Software Elements (EITF 09-3), excludes sales of software-enabled devices, such as smart phones or MP3 players, from the scope of the more stringent revenue recognition requirements that apply to sales of software.

Earlier Revenue Recognition

Together, the two standards allow revenue from software-enabled devices with bundled services to be recognized earlier than under previous rules. The standards take effect for calendar year-end companies in January 2011 and may be adopted before then, as of the beginning of a company’s fiscal year.

To comply with these new standards, companies will have to establish processes to determine stand-alone selling prices for many of their products and services. This may involve gathering and analyzing large volumes of sales and market data. Companies will also need to implement monitoring controls to identify changes in stand-alone selling prices and in the level of evidence available to support those prices.

In the past, many technology companies implemented restrictive business and pricing practices to comply with the old rules. The new standards provide those companies with an opportunity to make their business models and pricing strategies more flexible.

Compliance Challenge No. 3: Import/Export Regulations

Non-compliance with import/export laws can bring severe penalties to technology companies and also slow the movement of products across borders, ultimately raising costs and narrowing margins.

Experience has demonstrated that longstanding import/export rules are quite dynamic and sensitive to external political and economic events.  It’s been our observation, of late, that audit activity by customs authorities worldwide has increased since the start of the economic crisis, as governments attempt to increase revenue from trade enforcement and penalties.

Technology companies, whose products are often duty free, have been particularly hard hit. In some countries, including the United States, the penalties for non-compliance with U.S. import laws and regulations are actually higher on duty-free products.

Penalties and Seizures

In the last few years, U.S. technology companies have faced multimillion-dollar penalties and seizures in Brazil and India related to valuation of imports. In one instance, the assessed penalties were in excess of $10 million.

Tax compliance related to Transfer Pricing also overlaps with import rules (see Compliance Challenge No. 5).

In addition, in the United States, the government is placing a greater emphasis on export regulation pertaining to the disclosure of controlled technology to foreign nationals domestically and abroad. Technology companies need to establish robust internal controls to comply with this rule.

Experienced teams also are essential to compliance. Leading export departments have professionals trained in export law and regulations that cover classification, licensing, technology transfers, and end-user/end-use controls.  What’s more,  leading import departments have personnel well-versed in the intricacies of customs laws and regulations, including valuation, tariff classification, country of origin and free-trade agreements.

Compliance Challenge No. 4: Foreign Corrupt Practices Act

If technology executives are paying close attention to stepped up trade laws, they’re surely riveted on maintaining compliance with the Foreign Corrupt Practices Act (FCPA), which adds the teeth of the criminal code to the compliance mix. The act prohibits U.S. companies and citizens from offering or paying money or providing anything of value to a foreign official to obtain or retain business.

Indeed, the U.S. Department of Justice (DOJ) and the Securities and Exchange Commission prosecuted a record number of FCPA violations last year.

Of particular concern to executives and board members regarding FCPA is that corporations do not have to be directly involved – they can be held liable for the conduct of third-parties if management knows or has reason to know that a third party is offering or making improper payments on the company’s behalf.

Ferreting out or preventing corruption can be particularly nettlesome for technology companies, whose distribution channels include third-party distributors, resellers and others.

Due Diligence Critical

It is critical for companies to have due diligence processes in place to check third-party qualifications and verify that references are from reputable clients. Firms are expected to be actively involved in confirming that third-parties are monitoring their own compliance with the law and are willing to submit to right-to-audit clauses in contracts.

A robust FCPA compliance program also includes employee codes of conduct with specific FCPA provisions, and provides for ongoing training, communications and certification.  In addition, leading companies perform periodic compliance audits and monitoring to assess the effectiveness of their FCPA program and detect possible non-compliance.

The government takes a very serious approach to compliance with the FCPA. One official recently commented that if you have an effective compliance program and are doing business globally, you ought to be finding violations.

Compliance Challenge No. 5: Transfer Pricing

Discussions about transfer pricing were mostly reserved for tax specialists in a large global technology firm in past years. The transfer-pricing compliance environment has radically changed, however, in a relatively short period of time.

Today, broader collaboration is required to help ensure that tax considerations are a holistic part of both strategic and tactical decision-making in today’s high-technology enterprise.

Indeed, governments across the globe are beginning to recognize the significant revenue opportunities presented by technology companies that routinely transfer assets across their borders in the normal course of product development, production, and sale.

Transfer pricing actions by taxing bodies can include high costs associated with audits, negative publicity, the potential for declining market capitalization, and income adjustments.

Coordinated Global Process

There are actions that can help a technology company or other organization create a coordinated global transfer-pricing process. One important step is establishing global or regional approaches to transfer-pricing documentation as part of a global documentation strategy.

Companies also should  develop standard approaches to managing discussions with and responses to tax authorities. In addition, they should establish transfer-pricing policies that are reasonable, rational, consistent and economically credible to taxing authorities.

Conclusion

It is clear that properly managing compliance risks is vitally important as technology companies re-focus on innovating, growing revenue, and expanding into new markets in 2010.

To deal efficiently with compliance and other risks, many technology companies have or are considering an Enterprise Risk Management (ERM) program.

ERM programs should be tailored to each company’s culture and style, but important common attributes include the timely identification of the most strategic compliance risks, among others, so they can be elevated for management or board-level attention. A good program also will include strategic planning that takes into account risks on the horizon and internal controls that can be scaled or defined to manage any area of compliance.

In addition, technology companies and other organizations would  do well to leverage and capture the local knowledge and experience, both good and bad, of people and teams throughout their global operations. That step can help identify common threads of compliance that can lead to a more effective and efficient management of compliance issues around the globe.

We believe that companies that link their ERM and compliance programs can enjoy the very real benefits that come with understanding and meeting industry regulations and standards.  That includes reducing risks to their reputation and being better prepared to adjust to new regulations. They also help foster a culture where professionals are keenly aware of the importance of complying with the rules in all aspects of their business.

Many companies realize that the distraction and cost of dealing with non-compliance far exceeds the time and dollar investment required to identify and manage risks before they become problems.  Technology companies that recognize and address their top compliance challenges now can reap greater efficiencies as they advance their business strategy worldwide.

**********

Henry R. Keizer is Global Head of Audit – KPMG International, and U.S. Vice Chair – Audit, KPMG LLP.

KPMG LLP, the audit, tax and advisory firm (www.us.kpmg.com), is the U.S. member firm of KPMG International Cooperative (“KPMG International.”)  KPMG International’s member firms have 140,000 professionals, including more than 7,900 partners, in 146 countries.

This article represents the views of the author only, and does not necessarily represent the views or professional advice of KPMG LLP.

Tags: accounting standards, compliance challenges, fcpa, foreign corrupt practices act, henry keizer, import/export regulations, KPMG, privacy, transfer pricing