This article was republished with permission from Tom Fox’s FCPA Compliance and Ethics Blog.
One of the great things about writing your own blog is that sometimes you can get going on a subject and just explore it. While I think I might sometimes get carried away when I delve into a topic, I certainly learn much while doing so. This week appears to be such a situation where in studying and researching the GlaxoSmithKline PLC (GSK) scandal, I find that the case has much more to inform the compliance practitioner. So I am going to try and tie together some of the major lessons learned from the GSK Chinese enforcement action for the remainder of the week and present to you how such lessons might assist you in designing, implementing or upgrading a best practices compliance program. Today I want to look at internal controls, auditing and monitoring.
One of the questions that GSK will have to face during the next few years of bribery and corruption investigations is how an allegedly massive bribery and corruption scheme occurred in its Chinese operations. The numbers went upwards of $500 million, which coincidentally was the amount of the fine levied by the Chinese court on GSK. It is not as if the Chinese medical market is not well known for its propensity towards corruption, as prosecutions of the Foreign Corrupt Practices Act (FCPA) are littered with the names of U.S. companies that came to corruption grief in China. GSK itself seemed to be aware of the corruption risks in China. In a Reuters article, entitled “How GlaxoSmithKline missed red flags in China,” Ben Hirschler reported that the company had “more compliance officers in China than in any country, bar the United States.” Further, the company conducted “up to 20 internal audits in China a year, including an extensive four-month probe earlier in 2013.” GSK even had PricewaterhouseCoopers (PwC) as its outside auditor in China. Nevertheless, he noted, “GSK bosses were blindsided by police allegations of massive corruption involving travel agencies used to funnel bribes to doctors and officials.”
Where were the appropriate internal controls? You might think that a company as large as GSK and one that had gone through the ringer of a prior Department of Justice (DOJ) investigation resulting in charges for off-label marketing and an attendant corporate integrity agreement (CIA) might have such controls in place. It was not as if the types of bribery schemes in China were not well known. In an article in the Financial Times (FT) entitled “Bribery built into the fabric of Chinese healthcare system,” reporters Jamil Anderlini and Tom Mitchell wrote about the “nuts and bolts” of how bribery occurs in the health care industry in China. The authors quoted Shaun Rein, a Shanghai-based consultant and author of “The End of Cheap China,” for the following: “This is a systemic problem and foreign pharmaceutical companies are in a conundrum. If they want to grow in China, they have to give bribes. It’s not a choice because officials in [the] health ministry, hospital administrators and doctors demand it.”
Their article discussed the two primary methods of paying bribes in China: the direct incentives and indirect incentives methods. Anderlini and Mitchell reported, “The 2012 annual reports of half a dozen listed Chinese pharmaceutical companies reveal the companies paid out enormous sums in ‘sales expenses,’ including travel costs and fees for sales meetings, marketing ‘business development’ and ‘other expenses.’ Most of the largest expenses were ‘travel costs or meeting fees and the expenses of the companies’ sales teams were, in every case, several multiples of the net profits each company earned last year.’”
It would be reasonable to expect that internal controls over gifts would be designed to ensure that all gifts satisfy the required criteria as defined and interpreted in company policies. It should fall to a compliance officer to finalize and approve a definition of permissible and non-permissible gifts, travel and entertainment, and internal controls will follow from such definition or criteria as set by the company. These criteria would include the amount of the spend, localized down into increased risk, such the higher risk recognized in China. Within this context, noted internal controls expert Henry Mixon has suggested the following specific controls:
- Is the correct level of person approving the payment/reimbursement?
- Are there specific controls (and sign-offs) that the gift had proper business purpose?
- Are the controls regarding gifts sufficiently preventative, rather than relying on detect controls?
- If controls are not followed, is that failure detected?
Auditing Lessons Learned
Following Mixon’s point four above, what can or should be a company’s response if one country’s gifts, travel and entertainment expenses were kept “off the books?” This is where internal audit or outside auditors are critical. Hirschler quoted an unnamed source for the following: “’You’d look at invoices and expenses, and it would all look legitimate,’ said a senior executive at one top accountancy firm. The problem with fraud – if it is good fraud – is it is well hidden, and when there is collusion high up, then it is very difficult to detect.” Jeremy Gordon, director of China Business Services was quoted as saying “There is a disconnect between the global decision makers and the guys running things on the ground. It’s about initially identifying red flags and then searching for specifics.”
There are legitimate reasons to hold medical conferences, such as to make physicians aware of products and the latest advances in medicine; however, this legitimate purpose can easily be corrupted. Hirschler quoted Paul Gillis, author of the China Accounting Blog, for the following: “Travel agencies are used like ATMs in China to distribute out illegal payments. Any company that does not have their internal audit department all over travel agency spending is negligent.” Based on this, GSK’s auditors should have looked more closely on marketing expenses and more particularly, the monies spent on travel agencies. Hirschler wrote, “[The unnamed auditing experts] say that one red flag was the number of checks being written to travel agencies for sending doctors to medical conferences, although this may have been blurred by the fact that CME accounts for a huge part of drug industry marketing.”
Another issue for auditing is materiality. If GSK’s internal auditors had not been trained that there is no materiality standard under the FCPA, they may have simply skipped past a large number of payments made that were under a company’s governance procedure for elevated review of expenses. Further, if more than one auditor was involved with more than one travel agency, they may not have been able to connect the dots regarding the totality of payments made to one travel agency.
A final lesson learned for today is monitoring. As Stephen Martin often says, many compliance practitioners confuse auditing with monitoring. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks.
Here I want to focus on two types of ongoing monitoring. The first is relationship monitoring, performed by companies such Boston-based Catelas, through software products. It was reported in a Wall Street Journal (WSJ) article entitled “Glaxo Probes Tactics Used to Market Botox in China,” that internal GSK emails showed the company’s China sales staff were instructed by local managers to use their personal email addresses to discuss marketing strategies related to Botox. The Catelas software imports and analyzes communications data, like email, IM, telephony and SMTP log files from systems such as Microsoft Exchange Servers and Lotus Notes. The software then leverages social network analysis and behavioral science algorithms to analyze this communications data. These interactions are used to uncover and display the networks that exist within companies and between the employees of companies. Additionally, relationships between employees and external parties such as private webmail users, competitors and other parties can be uncovered.
The second type of monitoring is transaction monitoring. Generally speaking, transaction monitoring involves review of large amounts of data. The analysis can be compared against an established norm which is derived either against a businesses’ own standard or an accepted industry standard. If a payment, distribution or other financial payment made is outside an established norm, a red flag is created that can be tagged for further investigation.
GSK’s failure in these three areas now seems self-evident. However, the company’s foibles can be useful for the compliance practitioner in assessing where their company might be in these same areas. Moreover, as within any anti-corruption enforcement action, you can bet your bottom dollar that the regulators will be assessing best practices going forward based upon some or all of GSK’s missteps going forward.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business advice, legal advice or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The author gives his permission to link, post, distribute or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.