SMEs Hit the Road: Better Watch for Global Hazards

by Steven G. Blum, CPA, CFE, CFF, and Benjamin A. Cohen, CPA, CFE, CFF | Sep 30, 2016
Pennsylvania CPA Journal

The U.S. Foreign Corrupt Practices Act (FCPA) and similar regulations across the globe have been a source of great anxiety for large publicly traded companies. There is significant risk of unknowingly becoming ensnared in the framework of rules, particularly as a company becomes more global. There are resources to help guide companies through these risks, but many appear focused on resource-rich, large multinational companies. What if your company is a small or medium-sized entity (SME) making an initial foray into the global markets?

SMEs do not have the resources or expertise of large multinationals. So how can they reasonably comply with the regulations and best practices that may be both literally and figuratively foreign to them? Fortunately, an effective compliance program can be achieved with the limited resources of an SME.

Compliance Is Not an Option

SMEs have recently become a focus of regulators. At the 2015 SEC Speaks program, Kara N. Brockmeyer, chief of the Securities and Exchange Commission’s (SEC) FCPA unit, commented that her group has added a focus on small and medium-sized companies that venture into international markets. In 2014, Smith & Wesson, Bruker, and Layne Christensen (companies with annual revenues of $600 million, $1.8 billion, and $800 million, respectively) were targets of FCPA enforcement actions. With the 2014 Smith & Wesson action, Brockmeyer said, “When a company makes the strategic decision to sell its product overseas, it must ensure that the right internal controls are in place and operating.”

Large penalties accompany violations. Noteworthy recent penalties include payments by Alcoa ($384 million), Avon ($135 million), Alstom ($772 million), and VimpelCom ($795 million). Siemens recently paid $42 million (in addition to the $1.2 billion paid in prior settlements related to other actions) to settle a 14-year-old bribery case. These fines represent only the penalty component. They don’t include a company’s cost of investigating and correcting the issues or any effects on reputation.

Although an SME might not find itself charged with a $1.2 billion fine, SMEs and individual employees may still have to dig deeply into their own smaller pockets to atone for any missteps. For example, Smith & Wesson settled with the Department of Justice (DOJ) for $2 million for the payment and concealment of bribes, in the form of guns and illegal cash through third parties in Pakistan, Indonesia, Turkey, Nepal, and Bangladesh, in an attempt to win contracts. The SEC said Smith & Wesson failed to “design and implement a system of internal controls or an appropriate FCPA compliance program reasonably designed to address the risks of its new business model.” The price of the investigation added another $2 million to the total cost. To put the total $4 million in perspective, consider that the alleged bribe was only valued at $11,000 and yielded $108,000 in contract profits.

It’s not just SME “companies” at risk; it could become very personal. The DOJ has shifted focus toward individual prosecution, as evidenced by the September 2015 Individual Accountability for Corporate Wrongdoing memorandum issued by Sally Quillian Yates, deputy attorney general. Known as the “Yates Memo,” the memorandum states, “One of the most effective ways to combat corporate misconduct is by seeking accountability from the individuals who perpetrated the wrongdoing.” The memo both describes steps the DOJ will take to ensure the identification of culpable individuals and highlights the use of civil action as a future deterrent.

Enforcement is becoming more vigorous. The FBI is tripling resources dedicated to investigating FCPA violations, and it will add three new squads of special agents devoted to FCPA prosecutions and investigations. The DOJ recently announced a three-part initiative that could potentially create a significant increase in the level of FCPA enforcement activity. The DOJ’s FCPA unit will be bolstered by 10 additional prosecutors, and it will also continue to strengthen its coordination with foreign counterparts. The DOJ has also introduced a one-year FCPA enforcement “pilot program” to motivate companies to self-disclose FCPA-related misconduct.

In addition to mitigating the legal risk from wayward employee conduct, complying with corruption regulations is just generally better business. An effective anti-corruption compliance program will help control a company’s exposure across all its operations and supply chain, and enhance its reputation as a responsible partner with vendors, customers, and others. Compliance presents the advantage of being a preferred business in the event the company is a potential target for acquisition. Usually an acquiring company will evaluate the strength of a target’s compliance program to provide assurances to a host of stakeholders and shareholders.

Guidance for SMEs

The SEC has explicitly stated that SMEs, like their larger counterparts, are responsible for creating functioning and effective compliance programs. SMEs do not get a “pass” for being small or for being new to global markets. However, reasonableness is a key consideration in program development, and SMEs will not be measured with the same yardstick as their larger counterparts. An SME’s compliance program will be assessed based on the company’s relative size and resources. Available guidance will give SMEs some helpful insight.

According to U.S. sentencing guidelines, SMEs must demonstrate the same degree of commitment to ethical conduct and compliance with the law as large organizations. They can, however, meet these requirements with “less formality and fewer resources” than larger companies. Reliance on existing resources or simpler systems than those used by larger organizations is appropriate. The sentencing guidelines provide four examples of correct behavior:

  • The governing authority discharges its responsibility for oversight of the compliance and ethics program by directly managing the organization’s compliance and ethics efforts (i.e., they don’t have to outsource its management and instead do it themselves).
  • Employees are trained through staff meetings and monitored via regular “walk-arounds” or continuous observation.
  • The company uses available personnel rather than employing separate staff to carry out the compliance and ethics program.
  • The company models its own compliance and ethics program on existing, well-regarded compliance and ethics programs and best practices of other similar organizations.

The SEC’s and DOJ’s FCPA guidance also reveals that these agencies will take into account the differences between compliance programs at large multinational companies and those at SMEs. Even so, the expectation is that SMEs will still look to the following “Hallmarks of Effective Compliance Programs” provided in the SEC’s and DOJ’s FCPA guidance:

  • A commitment from senior management and clearly articulated corporate policy against corruption
  • A code of conduct and compliance policies and procedures addressing the company’s riskiest areas
  • Autonomy and resources provided to one or more identified senior executives vested with responsibility for the oversight and management of the compliance program
  • A risk assessment in order to develop a compliance program that focuses compliance resources on areas of highest risk
  • Training and continuing advice to employees, directors, officers, and, in appropriate circumstances, agents and partners
  • Incentives and disciplinary measures that reinforce the importance of compliance
  • Risk-based, third-party due diligence and monitoring of third-party payments and relationships
  • A mechanism for confidential reporting and a properly funded efficient process for investigating allegations raised
  • Periodic testing and review in order to continuously improve the compliance program
  • Preacquisition due diligence and postacquisition integration in the context of mergers and acquisitions

The best approach for an SME is to focus on those areas that correspond to the highest risks within the organization. This should facilitate the development of an effective compliance program, even with limited resources.

The guidance for SMEs will receive a boost with the imminent arrival of ISO 37001, the International Organization for Standardization’s anti-bribery management systems standard. ISO 37001 has been developed with significant input from business professionals, and is designed to apply to companies of all sizes. In fact, the draft standard contains multiple references to small organizations. The draft pays particular attention to smaller organizations’ limited compliance resources, and recognizes that the anti-bribery compliance function may be the shared responsibility of an appropriate individual or carried out by a third party. Once ISO 37001 is finalized, qualified organizations will have the ability to obtain certification with the standard, which should provide a distinct compliance advantage for SMEs.

Where to Begin?

Many “hallmarks” of an effective compliance program are easily developed with existing resources, though this may require creativity on the part of the SME. Here are some examples:

  • Leverage – Don’t hire a stand-alone compliance person. Assign an existing senior-level executive with overall responsibility for the company’s compliance program. A senior-level person in charge sends the correct message to others within the organization. It establishes a proper tone at the top for the organization and shows that the company places great importance on ensuring there is compliance with anti-corruption regulations. Similarly, leverage local staff to act as compliance “liaisons” throughout your organization to help disseminate the compliance message and act as dedicated resources for problem-solving and escalation of issues.
  • Tailor – Don’t write a Code of Conduct from scratch. A Code of Conduct and other policies and procedures can be developed easily by mirroring the compliance programs of similar organizations. Find something and tailor it to your organization.
  • Communicate – Once developed, the Code of Conduct can be circulated to the company’s other business partners, vendors, and customers with little effort.
  • Amend – Anti-corruption language can easily be included in all new company contracts with any third party. Existing important contractual relationships can be amended.
  • Report – Anonymous reporting functions and follow-up on allegations can be fulfilled by outsourcing an anonymous hotline, using the company’s existing internal audit function, and generally fostering an environment that encourages the reporting of suspicious behavior.
  • Monitor – Charge internal audit or other existing finance functions with the responsibility of periodic testing and review of the existing compliance function.

Another hallmark of an effective compliance program is one developed using a risk-based approach. Look at your business and where and how your business may be exposed to corruption. It is the cornerstone, and essential first step, in building an effective program. If your company does not have the appropriate expertise to do this, it may justify outsourcing this risk assessment to a consulting firm with these capabilities. These firms can assist SMEs in identifying their unique risks and developing a reasonable yet effective program to mitigate those risks.

Regardless of who performs this work, a risk assessment will identify and prioritize a company’s corruption risks by looking at the company’s operations, business with government entities, geographic locations, size, industry, go-to-market strategy, and regulatory environment. Specifically with an SME, it will be important to understand what is “new” to better understand the risks. If a company has recently expanded into new global markets, what is the operating environment and what are the risks associated with those markets? Are there new government customers? Has the company added new distributors or intermediaries to its sales process? All of these changes could be indicative of new risks within the company that need to be identified and addressed as part of an effective compliance program. We’ve provided some examples below of common situations and associated risks, as well as how elements of an effective compliance program might mitigate the risks. This is meant to provide some concrete examples, though it is not a comprehensive list.

My company has begun to use licensed distributors for overseas sales – This is a common situation as sales in other countries often require the use of a local intermediary. Using a distributor, or any third-party intermediary, can pose additional corruption risks. For example, it’s not uncommon for a distributor to unlawfully incentivize customers to generate sales. These incentives could be in the form of kickbacks, gifts, or free goods and services. The company is still responsible for the action of its distributors, so this potential risk requires assessment and prioritization with other potential risks. An effective compliance program designed to mitigate this particular risk might include things such as ensuring that the contract with the distributor contains appropriate anti-corruption language and audit rights; performing due diligence on the distributor, either through public records searches or site visits to better understand the distributor’s business reputation; and conducting periodic monitoring or communication with the distributor. The company should also watch out for preferential pricing arrangements by analyzing profit margins associated with the ultimate sell-through of product to the end customer. Unusual profit margins could be a source of funds used for kickbacks, bribes, or other nefarious purposes.

My company now sells directly to government entities overseas – Any type of sale to government entities or government-controlled entities poses an increased risk of corruption because you now have company personnel or their agents potentially interacting directly with government officials. There is a risk that interactions could result in improper behavior and activity, including inappropriate gifts, bribes, kickbacks, or other offers designed to influence the decision-making of government officials, including offers of employment for family members of government officials. In this circumstance, an effective compliance program would focus its attention on those employees who have the most interaction with the government customers. A compliance program would provide appropriate training for these individuals and make sure appropriate policies are in place to specifically deal with the treatment of gifts, entertainment, travel, and other things of value being presented to government officials. The company might also want to maintain a log of any meals, entertainment, or gifts involving a government official.

My company acquired a company that has operations overseas – Any violation of anti-corruption regulations by an acquired company – past or present – can become the responsibility of the acquiring company. Although your company may have commissioned due diligence prior to making the acquisition, chances are high that any anti-corruption due diligence has not been particularly extensive due to limited access. If this new acquisition resides in a location known for corruption or within a higher-risk regulated industry, it may make sense to perform an onsite post-acquisition corruption risk assessment to identify any risks or issues that might exist. For an SME that is newly engaged in a foreign market, it may make sense to outsource this work to a firm with local resources that can perform the bulk of this work on your behalf or assist you with developing a workplan that your own personnel can complete.


For resource-constrained SMEs, it’s important to identify the biggest corruption risks that exist within your organization, document those risks, and build a compliance structure to address those risks. Then, periodically monitor and test the compliance structure you have built. When this risk-based approach is employed in conjunction with the creative use of resources to develop sound policies and the other hallmarks of an effective program, you will likely have a successful system. It may not look like the compliance program of a multinational corporation, but it will nonetheless be an effective program that matches your company’s size, operations, and risk profile while being more likely to pass regulatory scrutiny. 


Steven G. Blum, CPA, CFE, CFF, is a partner with Control Risks Group in Washington, D.C., and a member of the Pennsylvania CPA Journal Editorial Board. He can be reached at

Benjamin A. Cohen, CPA, CFE, CFF, is a principal with Control Risks Group in Washington, D.C. He can be reached at

Read It Your Way

digital edition

Read the latest edition of the Pennsylvania CPA Journal via the web, digital edition, or mobile app. 

Read Now
Member Benefit

The Pennsylvania CPA Journal is a PICPA member benefit.f Receive quarterly editions of the Journal delivered to your doorstep.