SEC settlement offers lessons for legal counsel

The U.S. Securities and Exchange Commission recently entered into a cease-and-desist order with Juniper Networks, Inc., related to violations of the internal controls and recordkeeping provisions of the Foreign Corrupt Practices Act of 1977 through its subsidiaries operating in Russia and China. The facts are described in the SEC’s Accounting and Auditing Release No. 4069, issued on Aug. 29.

Juniper is a Delaware corporation headquartered in Sunnyvale, California, and listed on the New York Stock Exchange. It designs, manufactures and sells networking equipment products — such as routers, switches and security firewalls — and it services telecommunication network service providers.

Juniper’s sales to end-user customers are made through third-party intermediaries known as “channel partners.” The channel partners provide end-user customers with technical expertise, system integration services, and product maintenance and servicing.

The improper conduct occurred in two countries: Russia and China. For the Chinese subsidiary, the problems arose out of sales employees violating the FCPA rules with improper government entertainment expenses that were falsely documented in Juniper’s accounting system.

Similar to other FCPA cases, Juniper’s internal controls were ineffective at detecting the link between the expenses and the sales to governmental entities.

In contrast, Juniper’s situation in Russia involved a unique scheme to override the company’s internal controls over financial reporting for personal gain. The problems arose out of sales employees misrepresenting to senior management the need to discount sales prices to maintain competitive in the market.

Lessons learned in the Juniper Networks matter include that second chances for people who violate company policies and controls is a terrible business decision.

The reality is that the rogue employees were conspiring with the channel partners to create available funds to use for improper business entertainment purposes, including activities with government officials, in violation of Juniper’s policies and the FCPA rules.

Sales discounts are common in many businesses. However, understanding the Russian Juniper scheme provides a different perspective. Generally, management’s focus on discounts relates to ensuring satisfactory margins. The facts described below provide lessons and insights for registrants and their legal counsel to be aware of when dealing with rogue employees, and how to improve a company’s internal controls for sales transactions when discounted sales pricing is common.

Background

Per the Accounting and Auditing Release, from 2008 to 2013, sales employees in Juniper’s Russian subsidiary misrepresented to senior management the need for increased discounts for sales to channel partners.

In fact, the employees knew the discounts were excessive and were unnecessary, nor would they be passed on to end-user customers. Instead, the employees conspired with the channel partners, who purchased the discounted product and sold it at the usual market price to create a fund with the scheme’s profits for their own personal and entertainment use.

The excess money was known as “common funds.” Once the common funds were established, the employees and channel partners used the off-book funds without having to comply with Juniper’s internal controls, policies or approvals.

The common funds were used to fund trips for end-user customer employees, including trips that were excessive, inconsistent with Juniper’s policies, predominantly leisure in nature, and had little or no legitimate business purpose.

The trips paid for customers, including foreign officials, to travel to international tourist destinations, such as Italy, Portugal and various U.S. cities, all of which there were no legitimate business justifications. In some instances, the travel included customers’ family members. Of significance, emails existed explicitly discussing entertaining foreign government officials and links to new contracts.

Interestingly, according to the AAER, in 2009, a “member of senior management” learned about the improper discounting and the common funds. As a result, Juniper instructed the employees to stop what they were doing and supposedly implemented remedial efforts to avoid future problems.

However, the rogue employees continued their actions, albeit working more diligently to mask their communications and bad acts. Notably, there is no mention of anyone being terminated upon Juniper’s discovery of the initial improper acts. That, in and of itself, is a failure to take the most important remedial action.

It appears that the company conducted its own full and thorough investigation only after the problems were the subject of an SEC investigation. During that process, Juniper voluntarily produced and translated documents and provided the SEC with presentations regarding its investigation — factors the SEC viewed favorably as full cooperation.

Juniper’s remedial actions included:

• Realigning its compliance function into an integrated unit, with all reporting into a newly created chief compliance officer;
• Implementing an escalation policy to ensure that its board of directors was informed of serious issues;
• Requiring pre-approval of non-standard discounts;
• Requiring pre-approval for third-party gifts, travel and entertainment, channel partner marketing expenses, and certain operating expenses in high-risk markets;
• Conducting additional employee training on anti-corruption issues; and
• Improving its processes for internal investigations of potential anti-corruption violations.

The disgorgement, interest and penalties payable by Juniper to the SEC exceeded $11.7 million.

Avoiding similar problems and risks

The greatest benefit of reviewing AAERs published by the SEC is to learn from the errors and failures of public registrants. Lessons learned in this matter include: 1) second chances for people who violate company policies and controls is a terrible business decision, and 2) business analytics can be a useful internal control over financial reporting. Let’s look at each lesson closer.

First and foremost, adequate and competent people, with proven integrity, are an essential component of effective internal controls. If people violate company policies and controls, there should not be a second chance.

Termination is generally necessary for two reasons. First, to use the old adage “fool me once, shame on you, fool me twice, shame on me,” a company’s controls are too important to its reputation to allow anyone with a proven lack of integrity to continue in their job.

In addition, giving a person who has shown a lack of integrity and ethical values a second chance sends a message to other employees that strict adherence with controls and policies isn’t important. The perception of a company’s culture can be quickly impugned by such decisions.

Next, good business analytics can reinforce a company’s controls and identify unusual or improper behavior. As mentioned above, businesses often review margins to ensure satisfactory transactional or business level profitability. However, the review is generally used to compare profit margins versus expectations and plans.

The same process taken a step further for sales transactions may demonstrate abnormalities by region, by salesperson, by customer, and/or by ultimate end-user customer when a channel partner is involved. This can be a valuable analysis for companies that have foreign governments among their clients and serve as an added layer of FCPA controls in their compliance programs.

As important, business analytics for salesperson spending levels versus budget and target sales are often insightful. Reviewing average spend to revenue generation over time and comparison to peers may highlight missing information as excesses.

Companies are frequently focused on overspending compared to budget and paperwork for files, and less concerned with underspending and challenging the documentation for misrepresentations. Similar to the sales practice discussion, thoroughly inspecting salespersons’ entertainment documentation for companies with foreign government clients is critical.

The facts in the Juniper release are insufficient to know whether detailed analytics would have detected the risk for common funds and/or whether documentation misrepresentations could have been detected. Of significance, when people know special tests are being performed, the tests themselves can be a deterrent to improper conduct.

Legal counsel’s role

The facts available in this matter aren’t sufficient to identify the role Juniper’s legal counsel played regarding establishing policies, providing training, and advising management and the Juniper board of directors related to the improper activities and poor risk management described above.

However, the facts provided in the AAER and the existence of the problems offer several useful discussion points for how counsel can help their clients avoid similar problems.

Counsel’s role often involves proactive risk management, starting with reviewing the company’s policies related to internal control procedure violations. Willful violations of such policies should be reported to the company’s audit committee, and parties should be held accountable for their actions, including termination for egregious violations similar to those described above.

Notifying the audit committee allows for the consideration of an independent investigation, in which counsel’s involvement may consist of investigative interviews, analytics, etc. Juniper’s problems may have been mitigated if it had put in place such a policy the first time the issue was discovered.

Another proactive risk management action for registrants with government clients is involvement with proper FCPA training. Such training is critical for salespeople and sends a strong message from legal counsel regarding the penalties for violations.

Finally, legal counsel can play a vital role helping audit committees fulfill their oversight roles. This can include assisting the audit committee and engaging with internal and external auditors to ensure thorough risk assessments are in place for FCPA and all other compliance programs.

When considering the penalties incurred and the reputational harm suffered with the recent FCPA violations, compliance programs and control improvements will always be a worthy investment.

Joseph J. Floyd, a CPA and attorney, is a partner and co-founder of Floyd Advisory, a consulting firm in Boston and New York City that provides financial and accounting expertise. Marni J. Kaufman, CPA, is a manager in the Boston office.