WPP SEC FCPA Enforcement Action: Lessons Learned (Part III of III)

The SEC’s FCPA enforcement action against WPP presents a number of important lessons learned, ranging from third-party risk management, properly responding to employee complaints and red flags, and failure to integrate acquisition targets into existing compliance programs. 

At bottom, WPP and its subsidiaries lacked any culture of compliance.  While it is easy to cite all the deficiencies in the WPP subsidiaries, such a focus misses one important point – the importance of ethics and compliance is set by, promoted and depends on the tone and commitment from the parent organization.  WPP lacked any real commitment and its tone permeated every aspect of its business operations.

Failure to Conduct Due Diligence:  WPP’s subsidiaries failed to conduct appropriate due diligence for any of the third-parties involved in the various bribery schemes. Had due diligence been conducted, WPP would have learned about risk relationships between the local CEOs and relevant government officials. Of course, there is no guarantee that the due diligence results would have resulted in WPP prevent such high-risk relationships or insisted on robust risk mitigation steps.

Defective Responses to Employee Concerns: The SEC statement of facts is replete with instances where anonymous employee concerns were raised and not taken seriously.  This reflected a failure on WPP’s part to respond properly to these concerns.  As described by the SEC, some of the concerns described the bribery scheme in detail.  Yet, WPP failed to appreciate these employee reports and failed to respond by launching appropriate investigations, conducting additional due diligence or analyzing financial data.

Improper Use of Outside Accounting Firm to Investigate Bribery Concerns: On one occasion in India, WPP retained a global accounting firm.  The investigation launched by the accounting firm was improperly scoped and executed.  The accounting firm failed to investigate the central allegation – whether the subsidiary was paying bribes to government officials.  Instead, the accounting firm conducted a broad brushed investigation, failed to review email messages and conduct a focused financial inquiry.  The oversight and execution of the investigation was deficient.

Failure to Uncover Local Employee Forgery and Falsification of Documentation: The SEC noted that on occasion WPP employees falsified or forged invoices and other documents relating to non-existent or inflated services allegedly provided by outside vendors.  This failure to confirm appropriate documentation and services provided by a vendor underscores the risk that insiders can manipulate accounting controls by suppling false documentation. To remedy such problems, companies have to adhere to relevant accounting controls and ensure the absence of segregation of duty conflicts.  WPP’s local operations lacked such basic controls.

Defective Internal Accounting Controls: To the extent that WPP maintained a proper set of internal accounting controls, it is not clear that these controls were even applied to acquisition targets, and even if extended, the controls were ignored. WPP’s internal accounting controls were defective on their face, and it is hard to imagine how WPP’s auditor never tested nor identified the weaknesses in its controls, particularly given WPP’s aggressive growth strategy.  WPP’s rampant misconduct among its local subsidiaries demonstrates the important of design of internal controls that can be implemented across the organization and testing of the controls in local markets.l

Absence of Acquisition Integration Planning: WPP’s blatant misconduct underscores the importance of integration planning and execution of acquisition targets. WPP adopted an aggressive acquisition strategy to grow its business in emerging markets.  Given the high-risk nature of its acquisition strategy, WPP should have adopted a robust due diligence pre-acquisition program and detailed acquisition integration and audits.  Such integration planning should have included prompt training, adoption of compliance program policies and procedures and conduct of an FCPA audit.

You may also like...