EFFECTIVE FCPA CORPORATE INVESTIGATIONS : DISCOVERING THE WHOLE TRUTH

Lucinda A. Low*

Steptoe & Johnson LLP Washington, D.C.

Presented to the

ABA 2015 Corporate Counsel Seminar

Miami, Florida February 13, 2015

INTRODUCTION While sharing many of the issues common to all types of corporate investigations, anti-corruption corporate investigations involving the U.S. Foreign Corrupt Practices Act (“FCPA”) and other transnational bribery statutes are particularly complex and challenging. The issues associated with such investigations, including the issues of voluntary disclosure in FCPA cases and the scope and approach to prevent a “runaway” investigation, as well as any post-disclosure interface with a government investigation, require unique experience and judgment. In recent years, enforcement of anti-corruption laws such as the FCPA has reached and remained record levels. The number of cases, and the level of penalties, as well as the targeting of senior corporate executives and even whole industry sectors for enforcement, coupled with the growth of international standards, the advent of multiple parallel or sequential prosecutions, and collateral risks from shareholder derivative suits, suspension and debarment, and the like, have made the risks of a violation greater than ever. This is particularly true for companies listed on a U.S. securities exchange or subject to periodic SEC reporting requirements. For these companies, post-Enron developments in corporate governance, including the Sarbanes-Oxley Act of 2002, new SEC rules, and new New York Stock Exchange rules, although not created specifically for the FCPA context, have created magnified responsibilities, risks, and dynamics in that context. This impact is being seen in a variety of contexts, from increased whistleblower activity, to the response of external auditors to possible violations of law, to heightened expectations of management in multinational companies and due diligence in corporate mergers and acquisitions, among others.

The risk today that corrupt practices will come to light is much higher than just a few years ago; conversely, the risk that they can remain concealed for an extended period of time is much lower.

* Copyright © 2015 Lucinda A. Low, Steptoe & Johnson LLP. Portions of this paper are derived from papers previously published by the author.

The impact of an anti-corruption issue is enhanced by the greater predilection of corporate Boards of Directors in recent years towards voluntary disclosure of potential or actual FCPA violations. One might even question whether the term “internal investigation” has become somewhat of a misnomer in the FCPA context, given the tendency in recent years for such investigations to be used as an adjunct to law enforcement. The old model of an internal investigation as a truly internal matter, which companies pursued in the exercise of corporate responsibility, struggles to survive in an era when enforcement officials expect transparency, insist on sharing information with their foreign counterparts, and feel free to substitute their judgment on remediation for the judgment of those entrusted with management oversight.

If all this were not concern enough, the Dodd-Frank financial reform legislation of 2010

with its mandatory rewards for whistleblowers, and expanded anti-retaliation protections for employees, has created incentives for individuals who believe they are in possession of information concerning violations of federal securities laws to go directly to the SEC in the hope of reaping a financial reward, sometimes bypassing internal reporting channels, and complicating the investigation process and the disclosure calculus. The first part of this paper will review some of the distinguishing features of FCPA and anti-corruption internal investigations involving transnational conduct more generally and discuss strategies for effectiveness. The second part will discuss some of the implications of Sarbanes-Oxley, Dodd-Frank, and other recent developments for such investigations, and assess whether the trends reflected in recent enforcement actions are likely to continue.

I. FCPA INTERNAL INVESTIGATIONS

A. Distinguishing Features of FCPA and Transnational Anti-Corruption Internal Investigations

Much has been written about internal corporate investigations, and this paper therefore will not attempt to provide a blueprint for the conduct of such investigations in general. FCPA and other transnational anti-corruption internal investigations (referred to herein for convenience as FCPA internal investigations) are in many respects just another species of internal investigation. They share issues, tools and skills, characteristics, and pressures – including time pressures – common to many types of internal investigations. They may involve ongoing as well as past practices, where immediate action to “stop the bleeding” may be necessary when the practices are discovered. They may put significant commercial assets or activity at risk, or arise in a business context where quick decisions must be made. They require careful strategizing and planning, including decisions regarding scope and privilege. They can raise issues of corporate politics and personal agendas, and put careers at stake. At the same time, there are a number of aspects of FCPA internal investigations that are unusual. They reflect the core character of the FCPA and similar laws as legal mandates that are transnational, extraterritorial, and focused on foreign government official action, implicating foreign laws, cultures and business practices. They also reflect a focus -- especially for publicly traded companies in the United States, and particularly in the wake of Sarbanes-Oxley – on accounting and internal control issues. They are unusually complex, both factually and legally.

- 2 -

Moreover, the fact-specific nature of FCPA and transnational bribery issues -- especially on the antibribery side -- makes it critical to focus on “soft” issues of knowledge and intent. Finally, they can raise a number of significant collateral issues, including security, public relations, private and governmental enforcement risks, and others. These aspects make FCPA internal investigations particularly challenging and sensitive. Below is a more detailed discussion of the questions that often need to be addressed in an FCPA internal investigation.

• Whether to Investigate. A threshold question when an allegation of corrupt practices surfaces is whether it is sufficiently credible to merit investigation. Although all allegations must be taken seriously--particularly in an era when misconduct if likely to surface, whether due to whistleblowers, the press, or other factors--the potential for abuse in this area must also be recognized. One must consider carefully the source of the allegation of corruption and the potential motives underlying the allegation, as well as the possibility of misunderstanding or confusion. In the FCPA/transnational bribery context, it is not uncommon for allegations of corruption to be used by a competitor as an offensive weapon for commercial advantage—for example to gain an advantage in procurement, or to deter an acquisition. Employees facing performance issues may also decide to cloak themselves in whistleblower garb to protect against adverse action. Even if the motives of the person alleging corruption are not pure, even if their hands may not be clean, however, if they have credible evidence of possible corruption, it may be necessary to investigate, if only as a defensive matter. How this is done, for example, in the context on an ongoing procurement if the company does not want simply to abandon the business opportunity unless or until it becomes clearer that there is in fact a problem, can be challenging. But if a company does not do so, and it later emerges that misconduct occurred or, even if there was no misconduct, but the allegations become public or are reported to enforcement authorities, the company will be in a materially worse position than if it did not investigate.

• Who Should Investigate. The ongoing Wal-Mart case, initiated in 2011as the result of a New York Times investigative report, focused attention on the parent company’s decision to turn responsibility for an investigation of conduct at a foreign subsidiary over to personnel of that subsidiary potentially implicated in the conduct. The case is a reminder that where parent/issuers are concerned, it is that entity that the SEC will hold responsible for the subsidiary’s conduct , assuming it is part of the consolidated group. The parent’s conduct will also be evaluated by the DOJ, from the standpoint not only of its potential knowledge or participation, but also from a compliance oversight standpoint. Rarely in today’s more integrated world is a subsidiary’s conduct wholly independent of the parent.1 This gives the parent a significant stake in the investigation, and often

1 A recent example can be found in the Alcoa case, settled in 2014, in which the company’s matrixed and complex business organization was discussed in detail in the settlement documents.

- 3 -

means that the parent rather than the subsidiary should drive the investigation from the company’s side. Whether the investigation should use internal or external resources, and other issues associated with who should investigate are discussed infra in Section II.B.

• Launching the Investigation. Deciding whom to inform, deciding who the client

is (especially where multiple entities within a corporate group are implicated), taking steps to preserve privilege (assuming a decision has been made to preserve privilege to the extent possible), preserving documents, deciding on an initial scope, forming the team to investigate, and stopping any activities that could give rise to ongoing violations are all typical launch steps in the FCPA/transnational bribery as well as the general investigative context. Attachment A contains a checklist of launch-related issues. In general terms, the FCPA/transnational bribery context is no different. However, in practice, these issues are considerably more complex because of the likely wider reach, including into foreign jurisdictions, of the FCPA internal investigation. As that reach extends, the extent to which command and control structures exist to readily implement initial decisions—such as the key step of preserving evidence--is often reduced by both practical and legal considerations (including foreign laws), posing challenges for the investigation. Moreover, the wider the scope of conduct at issue, the more difficult it will be to know at the outset whether key team members are people who are free of any possible implication or can be trusted. Every aspect of the investigation, from communications to logistics, will be more complex than the typical investigation.

• Scope of Investigation. Determining the scope of an internal investigation is a key threshold issue for all investigations; the same is true for FCPA internal investigations. Scope issues in FCPA internal investigations are particularly complex, however, for several reasons, and often need to be revisited during the course of an investigation. They involve consideration of conduct that may be confined to a single country or part of a country, or occurring in multiple jurisdictions around the world; conduct that may be isolated in its incidence or recurring over an extended period of time; conduct arising in a wide range of business contexts, from procurement and contracting to a host of other actions, many of which are (or can be) entirely legitimate); and conduct carried out by foreign subsidiaries or affiliates, and/or third parties (as discussed below), as well as corporate employees. Besides bribery, the conduct may implicate compliance other laws, including money laundering, in multiple jurisdictions. For issuers, it will be critical to give attention to books and records and internal control/compliance issues as well as the bribery issues. Although criminal risks may be greater as to the latter, the former represent the Achilles heel of FCPA liability given the absence of either scienter or materiality requirements, and, where knowing violations are concerned, are increasing the basis of criminal responsibility as well. Recent years have seen well-publicized cases of internal investigations whose costs reached into the hundreds of millions of dollars,

- 4 -

seemingly out of proportion to the conduct at issue.2 Avoiding a “runaway” investigation, while at the same time investigating sufficiently to assess root causes of misconduct and properly remediate, requires judgment and experience.

• Foreign Subsidiaries and Affiliates. In recent years, many FCPA/transnational bribery cases have involved business operations carried out by foreign subsidiaries or affiliates—sometimes with, and sometimes without, the knowledge of senior management of the parent company. An FCPA internal investigation will therefore often encompass not only the parent company, but will implicate foreign subsidiaries or affiliates as well. Even where these entities are wholly owned or controlled by the parent company, the conduct of an investigation with respect to a foreign subsidiary can pose significant challenges. Where the entity is not owned or controlled, but is merely an affiliate, those challenges increase exponentially. Key issues, at the launch of the investigation and as it progresses, such as securing documents, require greater coordination should not be assumed to be automatic even with subsidiaries. Local law issues relating to data protection/privacy, gathering of evidence, requirements to be followed during witness interviews, and the like, must be considered. Parent/subsidiary issues must be examined, both from an accounting/control standpoint and from the standpoint of knowledge/authorization of the payments or transactions at issue. This requires an understanding of the corporate structure, management and financial reporting lines (including intermediate reporting persons or shareholding entities), and careful attention to the identity (and nationality) of actors. The differing jurisdictional reach of the antibribery and books and records provisions with respect to foreign persons also becomes an important factor. Issues (such as third party relationships) must sometimes be reviewed across a company’s foreign operations, especially once a problem has been discovered in one foreign operation. If a company has far-flung foreign operations, this can risk becoming a significant undertaking. In many cases, however, more targeted investigative or forensic approaches may be used instead of a full-blown investigation.

• The Demand Side. Even if no foreign subsidiaries or affiliates are involved, an FCPA investigation will invariably involve consideration of the action of foreign persons. The FCPA focuses only on the “supply side” of bribery of foreign officials and other categories of public persons. However, the “demand side” of the bribery equation is always represented, but rarely accessible, to the investigator. Thus, absent a foreign government proceeding against the foreign official, the internal investigative team will be operating with limited information as to the demand side.

• Intermediaries and Other Third Parties. Another category of third parties often involved as to which more information may be available than with respect to the implicated officials are third parties with whom the company has a business

2 The Avon case, settled in early 2015 for $135 million, but at a reported investigation cost of $350 million, is the most frequently-cited example.

- 5 -

relationship, for example, partners, agents, representatives, consultants, or contractors. The degree of control over these persons will likely vary from substantial to none. This will affect access to relevant information and persons. Decisions must also be made as to the extent to which the investigation must encompass such persons, who would typically be outside the scope of available privilege. If the conclusions of the investigation suggest undue risk from an association with the associated person, such that termination or changes to the relationship are warranted, the key question will become the extent to which the contractual relationship permits such actions. Too often, contractual rights come up short against the unforeseen facts of such situations, putting the company in the situation where the recommendations of counsel to reduce FCPA risks may create commercial risks from a breach of contract.

• Privilege. Traditionally, the maintenance of privilege has been a key consideration in internal investigations, including FCPA internal investigations. Although U.S. enforcement authorities now generally respect the privilege, seeking limited waivers only for contemporaneous legal advice given in connection with the core conduct at issue, not all authorities follow that view, and the rise of third party litigation makes challenges to non-waiver positions increasingly likely. 3 Protecting privilege in the FCPA internal investigations context, given its transnational character, is in any event an even more challenging endeavor than in the general white collar context. Foreign jurisdictions may not follow the U.S. in the extent to which privileges are recognized, so that interviews that could be privileged if conducted on U.S. soil may not be privileged when conducted on foreign soil. As other countries’ anticorruption efforts grow, these differences could become significant. Nonetheless, most companies opt to try to preserve privileges, since only if privileges are preserved from the outset, can the possibility of limited waivers be retained.

• Need for Foreign Evidence-Gathering. Even if only U.S. persons are within the scope of the investigation, the transnational character of the FCPA and other similar laws means that the investigative process will almost certainly involve foreign evidence-gathering. Any such effort will require dealing with language and cultural differences that may affect the substance and reliability of the allegations, access to evidence, and the quality of evidence; geographic differences, that may affect the cost and feasibility of evidence-gathering in person and require resort to long distance methods of gathering information, with the challenges those methods create; time differences, that can affect scheduling

3 See, e.g., United States ex rel. Barko v. Halliburton Co., Case No 1:05-CV-1276, 2014 WL 1016784 (D.D.C. March 6, 2014 (granting discovery of internal investigative materials to a qui tam relator in a False Claims Act suit), rev’d, In re Kellogg Brown & Root, Inc., et al., No. 14-5-55, __ F.3d ___, 2014 WL 2895939 (D.C.Cir. June 27, 2014). For a fuller discussion of the case, see “Barko Unmuzzled in DC, but Attorney-Client Privilege for Internal Investigations Remains at Risk”, Steptoe Client Advisory, Aug. 19, 2014, available at www.steptoe.com.

- 6 -

and other logistical issues; and local law issues as discussed in the following bullet. Some key evidence (for example, bank account information of third parties, phone records where individuals have used personal devices) will likely not be available to the internal investigator because of access, privacy or secrecy limitations.

• Local and Third-Country Law Issues. Besides the local law dimension of the privilege issue identified above, local law will invariably have a significant presence in FCPA investigations, even more than it does in FCPA counseling. Local law may affect whether and how witnesses may be interviewed, what documents may be provided and removed from the country, disclosure issues (including reporting issues under anti-money laundering laws), and the analysis of whether an FCPA violation as well as local law violations have occurred. In particular, data protection issues have become quite important in FCPA investigations. In China, state secrets laws also present process challenges. Local law may also create rights and remedies capable of being invoked by those under investigation in legal proceedings, for example, breach of contract suits, libel suits, or others.4 To anticipate and address these types of issues, it will generally be necessary to associate local counsel in an FCPA investigation. If the matter is the subject of criminal proceedings or investigation in the foreign country, the local law issues become even more significant. Moreover, with other countries. adoption of transnational bribery laws pursuant to the OECD and other international anticorruption conventions, the possibility that a given transaction will implicate third country antibribery laws as well as local law becomes very real (for example, because an intermediate subsidiary is located there).

• The Local Political, Business, and Security Situation. Successful FCPA internal

investigations require more than just a focus on legal issues. Investigators must develop an understanding of the local political, business, cultural, and security situation both at the time the conduct under investigation occurred, and currently as it may be relevant to local remediation and disclosure issues. Investigating an FCPA/transnational bribery issue in Indonesia is different from doing so in Russia, China, Saudi Arabia, Nigeria, Brazil, or Mexico. The presence of elements of organized crime in some countries creates a potential for physical violence that must be taken into account in planning an investigation. And even if there is no organized crime elements in play, security issues must be considered. Cultural and language issues come into play in evaluating witnesses and understanding documentation, and in planning and executing strategy.

4 In one recent matter in which we have been involved, for instance, a third party whose conduct

had raised FCPA issues, causing the client to suspend payments to it, brought proceedings in the local jurisdiction to have the company’s local subsidiary wound up for non-payment of debts. Although the company had a contractual basis for withholding payments given the issues that had arisen, under local law, these proceedings were entirely independent of the parties’ contractual rights and obligations.

- 7 -

• Accounting Issues. In many cases, the issues in FCPA investigations will require the involvement of forensic accounting expertise in the team. This may not be the case where the investigation focuses on a fairly discrete set of issues or transactions; however, where the investigation involves a series of transactions over time, the need to do financial analysis of payments, or other types of accounting issues, such expertise may be necessary. Retention of forensic accountants should be done in a way that is consistent with the company’s privilege goals. They should not function independently, but as a part of the team. Internal audit may also be an important part of the team in certain situations, gathering or analyzing information or both; if so, great care needs to taken to ensure that they are involved in a way that does not jeopardize privilege goals.

• Public Relations. The reputational risks associated with FCPA violations, and antibribery violations more generally, create a potential for press interest should they become aware of the issue. This interest may be exploited by whistleblowers or third parties, or may arise simply due to leaks within the company or elsewhere. The company conducting the investigation will often need to have at the ready public relations and other plans to respond to press reports. This will include the possibility that reports of issues in one country will spread to another country, raising concerns to which the company will need to respond there.

• Local Activities. Although “stopping the bleeding” (halting conduct of which the investigative team becomes aware that may create a risk of ongoing violations) is typically a first priority when an investigation is initiated, the investigation may arise in the conduct of ongoing activities—for example, a competitive bidding process, or regulatory actions, or a fixed investment—that cannot be unilaterally frozen by the company simply because it has initiated an investigation. If the violation is only alleged, there will likely be strong business pressures not to jeopardize a business opportunity or to otherwise potentially adversely affect the company’s ongoing business operations unless and until the investigation has clarified what has occurred. These can be among the most difficult issues for counsel to address.

• Direction and Consultation; Other Stakeholders. In Section II.A. below, we discuss who is most likely to direct today’s FCPA internal investigation. In many ways, this has come full circle from the FCPA’S origins in the SEC’s voluntary disclosure program of the mid-70s. Today, however, the number of players in an FCPA internal investigation has multiplied. In an M&A context, if a potential FCPA issue is identified in the target company, the acquirer will play a significant and possibly even driving role in the FCPA “internal” investigation. The company’s external auditors, lenders, disclosure counsel, and enforcement officials, will also often play a role. This proliferation of players implies a considerably more complex process of reporting and consultation than was the case in recent decades. External parties such as auditors can raise significant privilege issues that are difficult to address, particularly when auditors insist on conducting “shadow” procedures that involve access to privileged information.

- 8 -

• Making Adjustments, While Preserving the Integrity and Credibility of the

Process. Once an FCPA internal investigation is launched, new issues frequently surface, such as whether the investigation needs to be extended to additional foreign operations or types of relationships, and what type of report to prepare. In addition, many of the issues addressed initially will likely need to be revisited as knowledge and circumstances evolve. New witnesses may be identified. Witnesses may require re-interviewing as additional information emerges. Timing factors may change. Some aspects, however, will be irrevocably fixed (or freedom of action or ability to remediate significantly limited) by decisions taken early in the process – privilege and document retention issues being the most obvious of these. Some issues encountered may implicate the integrity and credibility of the investigation. These areas – going to integrity, credibility, or irrevocable choices – can be the most agonizing. Counsel must constantly grapple with how to balance legitimate resource constraints against the need for a process that can later be defended as thorough and balanced. Prioritization, reprioritization, and adjustment become constant features of the process. Surprises are not unusual. Conflicts or differences in judgment may arise between the investigators and the client regarding scope, priorities, focus, or interim steps to be taken. Especially in the wake of Sarbanes-Oxley, as discussed more fully in Section II below, these issues have become complex and potentially charged.

• Disclosure Issues. Disclosure issues loom large during the course of most FCPA internal investigations. The FCPA does not mandate disclosure, but other statutes, U.S. or foreign, may require it. In the U.S., such a requirement can come from the general securities laws, ITAR commission disclosure requirements, OFAC blocking notification requirements, boycott requests, or tax filings, among others. Accounting standards may also come into play in a way that effectively mandates disclosure. Local law may mandate it. As discussed below in Section II.C, third parties such as auditors or banks may have disclosure requirements. And even if there are no legal requirements to disclose, it is clear that the DOJ and SEC encourage voluntary disclosure (although the specific benefits that flow from such disclosure are neither guaranteed nor fully predictable). The risk of an involuntary disclosure, due to a press report, a whistleblower, internal or external to the company, or referral from another country’s authorities or the World Bank cannot be overlooked; it is an increasing risk in today’s climate of greater sensitivity to corruption issues and in light of new incentives, such as the Dodd-Frank legislation. In a truly voluntary disclosure situation, the impact of a disclosure should also be taken into account: the likely government response, including the scope of a government investigation, penalty risks, and the risk of collateral sanctions and other proceedings; the likelihood of the government’s insistence on at least some waiver of privileges and the impact of such a

- 9 -

waiver; the resources required to defend the investigation, both out-of-pocket and management time; the public relations and business consequences in the U.S. and abroad; etc. Although the FCPA has been held by courts not to establish a private right of action, companies should anticipate that creative plaintiffs will find theories of civil liability to pursue. Shareholder derivative suits alleging breaches of fiduciary duty by management and corporate boards, among other violations, have become the norm in the United States in the wake of FCPA settlements (and more recently, even prior to settlement). Recently adopted anticorruption treaties will only fuel this trend toward collateral consequences, as well as making it more likely that an asset acquired as a result of corrupt conduct will be put at risk. Settlements with the DoJ now require cooperation not only with U.S. but foreign authorities, and the multilateral development banks. Faced with the lack of a clear benefit and this expanding list of risks, many companies historically have been leery of voluntary disclosure. In recent years, however, corporate Board of Directors and Audit Committees have opted for disclosure in a significant number of cases, even when not mandated by law, believing that it is the course of action expected by enforcement officials. This trend, it should be emphasized, is not universal, and companies even today do make different judgments about the relative costs and benefits of disclosure. Although the U.S. enforcement authorities, particularly the DOJ, have endeavored in recent years to bring more transparency to the penalty calculus, it is often difficult to isolate the benefits of voluntary disclosure. Cases such as ABB and the 2007 Baker Hughes case, where significant penalties were imposed in the face of what was termed “extraordinary” cooperation by the disclosing entities, not to mention a massive investigative effort, underscore both the risks and lack of defined benefit in making disclosures.5 Conversely, cases as Siemens where no such disclosures were made but the companies still received significant benefits from cooperation and remediation also make the cost-benefit analysis uncertain. If disclosure is required as a matter of law, then there may be no choice. Similarly, if a whistleblower is believed to be present, the disclosure decision may have to be faced very early on. If not, one must question whether, even as to the issue of successor liability, a concern of most acquirers, it is not obvious that significant protection against such liability could not be obtained by a purely internal effort. The problem, especially regarding the whistleblower risks, is the lack of perfect information.

• Post-Disclosure Investigation. Rarely today do U.S. enforcement authorities rely solely on a company’s internal investigation for evidence.

5 This is particularly true since the government has discretion not only regarding the penalty amount (e.g., discounts off the bottom range of fines calculated using the Sentencing Guidelines), but also as to what conduct to charge, who to charge, and the nature of the charges.

- 10 -

Prosecutors today employ a range of tools to develop additional evidence, including tools not available to the company such as mutual legal assistance requests to other countries. Once disclosure is made, prosecutors may also make specific requests of the company for information or documents in furtherance of their own investigation. The pace of the process can be affected, as can its scope and approach. It should not be assumed that the government’s investigation will always be broader. In the Avon settlement in early 2015, the government took the unprecedented step of criticizing the company’s broader internal investigation for slowing down the government’s more targeted investigation.6

• Other Jurisdictions. Anti-corruption issues have become increasingly multijurisdictional. It is not unusual today for multiple countries to be investigating conduct under either their FCPA-counterpart laws, domestic anti-bribery laws, or others. Whether or not a company voluntarily discloses a matter it is investigating to a particular jurisdiction, they may become involved, through referral from another authority, legal assistance requests, or other avenues. Indeed, some U.S. investigations today are the result of foreign investigations: for example, the SEC’s investigation of Petrobras in the wake of the Brazilian authorities’ looking into Operacão Lava Jato, the so-called “car wash” scandal. Other jurisdictions may also initiate sequential investigations, such as has happened with Siemens or in Nigeria in the wake of some of the Panalpina cases. The FCPA investigation needs to be mindful of the interests of other jurisdictions and how they may manifest themselves in the course of the investigation.

• Discipline and Remediation Issues. Regardless of whether a mandatory or voluntary disclosure is made, an FCPA investigation puts disciplinary and remediation issues squarely on the table. The investigation needs to address both the specific individuals and relationships implicated in the investigation as well as the company’s compliance program more generally:

Discipline. If the investigation finds violations, the questions that drive discipline and remediation are various: How serious are the violations? Who committed the violations and with what state of mind? Are those persons still with the company? Are they persons in senior management or who would be viewed as carrying significant compliance responsibilities or exercising “gatekeeping”

6 Deferred Prosecution Agreement, United States v. Avon Products Inc., No. 1:14-cr-00828-GBD (SDNY Dec. 17, 2014) (steps were undertaken “without Department request or guidance, and at times caused unintended delays in the progress of the Department’s narrower investigations….”), paragraph 4.

- 11 -

roles such that their participation would be viewed with great concern by enforcement officials? In light of those factors, what sanctions should be taken against them and when? Are there any legal constraints, for example, under local law or contract, with respect to disciplinary action that could affect either the range of available sanctions or the process that must be followed? What are the likely consequences of any sanctions on such persons (e.g., wrongful termination lawsuits, press disclosures, etc.)? What should be done with persons who have not cooperated with the investigation, or have been determined to pose undue risks going forward? Are there contractual relationships that need to be terminated or restructured? Do the contracts give the company the right to do what it would like to do from an FCPA perspective? Are there practices that need to be stopped in the foreign operation? All of these are, obviously, highly specific to the factual findings of the investigation.

Remediation More Generally. The principal focus of more general remediation efforts will be on the company’s compliance program, although internal control systems may also be implicated. Does the company have a compliance program? Does it include all of the policies and procedures that the investigation has shown to be necessary? Are there adequate resources, financial and otherwise, devoted to the program? Has there been adequate training? Risk assessments? What is the capacity of the internal audit function with respect to the detection of FCPA issues? Does the company have the right compliance structure and resources for its operations? What is its incentive structure for employees? How does the company’s program stack up against the standards published by the DoJ in its deferred prosecution agreements? Should a decision not be made to disclose violations voluntarily, thorough compliance and remediation is important – and arguably even more important – than if a decision is made to disclose. This is because, should the violations later come to light involuntarily, the company will be under great pressure to demonstrate that it has engaged in effective self-policing.

This brings us to the next major topic of this paper, the impact of certain corporate governance reforms earlier in the decade, and, most recently, financial reform legislation, on FCPA internal investigations.

- 12 -

II. THE IMPACT OF DODD-FRANK AND CORPORATE GOVERNANCE REFORMS ON FCPA INTERNAL INVESTIGATIONS

Enron and other corporate fraud and accounting scandals of the early 21st century produced the Sarbanes-Oxley Act of 20027 and other reforms in corporate governance. These reforms are akin to what the PATRIOT Act has done to the rules for waging the war on terrorism. They are far-reaching, and have had significant implications for FCPA self-policing, including the conduct of FCPA internal investigations by publicly traded (listed) companies in the United States.

A full review of Sarbanes-Oxley and other corporate governance reforms in recent months are beyond the scope of this brief paper. Rather, this section will simply highlight some of the corporate governance changes that are most relevant to FCPA internal investigations.

A. Who Is the Client? Past as Prologue

One impact of Sarbanes-Oxley and other reforms designed to strengthen supervision of management by the Board of Directors, and, particularly, by the Audit Committee, is that Audit Committees are more often engaging FCPA counsel directly, instead of relying on counsel selected by management. This represents a return to the earliest days of the FCPA as described earlier. Section 301 of Sarbanes-Oxley encourages this, by explicitly giving Audit Committees the authority to engage outside auditors and to cause the issuer to pay the costs of that engagement (Sarbanes-Oxley, § 301, amending section 10A of the Securities Exchange Act of 1934, 15 U.S.C. § 78f). This can lead to multiple and even (although rarely) competing investigations, if management also engages its own counsel to do an investigation, or it may lead to the investigation being centralized under the Audit Committee’s counsel, especially given the cost implications and other complications of multiple concurrent investigations. Alternatively, it may result in the Audit Committee’s counsel playing more of a reviewing than a direct investigating role. All variations are possible, but whatever variation prevails in a particular case, it is almost a certainty that there will be more, not less, outside counsel at the investigating table, and that some of them will be directly responsible to the Audit Committee. Audit Committee involvement will likely be greater to the extent the conduct at issue involves any one in management, but even without such involvement, the Committee’s oversight responsibilities as articulated in Caremark and elsewhere will give it a role.

B. Selection of the Investigator

These corporate governance reforms create pressures for the appointment of independent investigators, at least in cases that are significant. Although there are a few companies that maintain an internal investigative staff function, this is costly, and will likely mean more recourse to outside investigative resources that are perceived to be independent. The SEC’s

7 Pub. L. No. 107-204, 107th Cong., 2d. Sess., July 30, 2002, 116 Stat. 745 (hereinafter, “Sarbanes-

Oxley”).

- 13 -

Section 21(a) Report of October 20018 flags as one of the factors the SEC will consider in determining an enforcement response is who did the investigation. The Report does not use the word “independence,” but the questions it raises suggest that the SEC will focus on whether internal or external resources were used, and, if external, whether they had done prior work for the company, among other factors. Sarbanes-Oxley does not articulate standards for an investigator’s independence, but by focusing on auditor independence in Title II, and by emphasizing the need for independence on Audit Committees in Section 301, it effectively suggests the need for independence of Audit Committee advisors. Independence may not be the only factor to consider, however, in selecting an external investigator. If the FCPA issues implicate senior management for whom a law firm has worked in the past, or a transaction in which the firm has served as counsel, then it would be difficult for that firm, as much integrity as it might have, to be perceived as independent. (And perception may be as important as reality in defending the credibility of an internal investigation.) Or if the investigation implicates the advice of a law firm, that firm obviously could not credibly investigate the allegations. On the other hand, if those elements are not present, then it may not be a problem to have a firm involved that has done prior work for the company. Indeed, in some cases it may be a benefit, for example, where an understanding of the corporate structure, operations, or culture is key and time is of the essence. Completely new counsel may also be less attuned to subtleties that could affect either their factual undertaking or their ability to convince management or the Board of the soundness of their advice. The ability to draw on past experience, and the confidence and trust that can be built in a relationship over time, can also be a victim of a pure independence model. The specialized expertise required for FCPA investigations should also be taken into account. This discussion suggests that, rather than a hard-and-fast rule regarding independence, a case-by-case approach may need to be followed. Indeed, experience, integrity and credibility, are in the end the most key features. Enforcement officials will assess the findings of the investigation in light of the credibility of not only the process used, but the experience and integrity of the counsel conducting the investigation. Is there a need to retain counsel to conduct the investigation who is separate from the counsel who represents the company in resolution of the matter? Companies and boards approach this issue differently and judgments need to be made on a case-by-case basis. Those who separate the two tend to see the advocacy role as being in tension with the independent investigator’s role. To be sure, a lawyer hired to conduct an internal investigation cannot negate his own findings. But there are often efficiencies to using the same counsel for both, especially given that the evidence is already known to the government. Moreover, the advocacy that a credible investigating firm does conduct may be more effective (because of the established credibility of the firm) than counsel who is brought in simply to play an advocacy role.

8 Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 and

Commission Statement on the Relationship of Cooperation on Agency Enforcement Decisions, Securities Exchange Act of 1934, Release No. 44969, Accounting and Auditing Enforcement, Release No. 1470 (Oct. 23, 2001).

- 14 -

C. The Duty to Rat

A third important area to consider is the disclosure duties that may exist under various laws. External auditors have reporting duties to authorities in the U.S. and in many other jurisdictions, sometimes triggered by the perceived adequacy of management’s response to an issue, but sometimes not. Money laundering laws in many countries impose a duty to report suspicious transactions on a wide variety of persons, including financial institutions, accountants, and in some countries, lawyers.

Lawyers in the United States do not have a general “duty to rat” under anti-money laundering laws; indeed, rules of professional responsibility in many U.S. states constrain what lawyers can do in the face of client misconduct. However, Section 307 of Sarbanes-Oxley imposes reporting duties on lawyers representing public companies in certain circumstances. Under this section, the SEC has imposed standards of conduct requiring such attorneys to report evidence of a material violation of securities law or a material breach of fiduciary duty of similar violation by a company or any agent thereof first to the chief legal counsel or the CEO and, if they do not respond, including with appropriate remedial action, to go up the chain and report the matter to the Audit Committee of the Board. In contrast to the rules imposed on auditors under the Private Securities Litigation Reform Act of 1995,9 however, Sarbanes-Oxley, and its implementing rules, do not require the lawyer to make further disclosure to the SEC. Some have said that this provision merely codifies many states’ existing rules of professional responsibility. While perhaps that is so, they give outside counsel representing issuer clients in transactions raising FCPA issues and even FCPA internal investigations new duties to take into account. The specific reference in Sarbanes-Oxley to remediation concerns underscores this point regarding this provision’s relevance in the investigation context. But while Section 307 may be viewed as a weapon in the hands of outside counsel, thoughtful counsel take this provision as a serious burden. Going up the chain if one has been retained by senior management is no trivial matter; it could well rupture the relationship, probably irrevocably. And even if the investigator has no prior relationship, it starts a process that could significantly increase the likelihood of disclosure.

D. Compliance and Disclosure Issues

Sarbanes-Oxley increased management responsibility for internal controls, including establishing new certification requirements, requires the inclusion of management assessments of internal controls in annual reports, and establishes new criminal liabilities for knowing or willful false certifications. See Sections 302, 404, and 906. It also required (in Section 406) the establishment of codes of ethics for senior financial officers. These obligations have sharpened, and will continue to sharpen, management’s focus on internal controls, and may also have the collateral effect of increasing management’s attention to the company’s FCPA compliance program. Moreover, findings of internal investigations may affect the ability of management to make the certifications required by Sections 302 and 906 and other new corporate governance

9 Public Law No. 104-67, § 301, adding Section 10A to the Securities Exchange Act of 1934.

- 15 -

measures, creating situations where disclosure will now be necessary where it might not have been before.

At the same time, the Board of Directors retains compliance program responsibilities under the Caremark decision. Moreover, in the current climate, Boards and Audit Committees may be more inclined to opt for voluntary disclosure in today’s environment than had been the case in the past.

The corporate governance reforms of Sarbanes-Oxley may thus have the effect, when added to preexisting obligations, of better aligning the obligations and interests of management and the Board with respect to compliance and disclosure, and of tipping the balance in favor of disclosure in more cases. Without these legal changes, the pro-disclosure impact of Enron and other cases would likely have faded as memories of the scandals became more distant. The new rules create the possibility of a long-term drift towards greater voluntary or prudential disclosure.

Nothing in the new rules changes the obligations of the SEC or Department of Justice in responding to a disclosure, however. Disclosers will still be taking their chances as to the enforcement action that will await them at the end of the process.

E. Dodd-Frank New Whistleblower Incentives

The Madoff scandal and other perceived failures by the SEC’s Enforcement Division have also led to new whistleblower incentives and protections in the Dodd-Frank financial reform legislation of 2010. Section 922(a)-(g) of Dodd-Frank (codified as Exchange Act Section 21F) gives a mandatory bounty of between 10 and 30 percent of collected penalties to qualifying whistleblowers. The SEC’s implementing regulations were issued on May 25, 2011.10

Under the provisions of the statute and implementing regulations, to be eligible for this bounty, a whistleblower must:

o voluntarily provide o to the SEC o original information o leading to successful SEC enforcement (administrative or judicial) o in which the SEC or certain other agencies collect monetary sanctions exceeding

$1 million based on the same information.

Who is a qualifying whistleblower? A qualifying whistleblower must be an individual; entities are not eligible. Beyond this requirement, who qualifies is defined in the Proposed Regulations primarily by exclusions. A qualifying whistleblower cannot be:

o persons who have a preexisting legal or contractual duty to report their information;

o external auditors;

10 See SEC Rel. No. 34-64545 (May 25, 2011), available at www.sec.gov.

- 16 -

o attorneys who have obtained information through compliance engagements, unless SEC or state bar rules permit disclosures;

o foreign government officials; o compliance personnel or persons of responsibility within a company who receive

information through reporting mechanisms, unless the company does not disclose the information to the Commission w/in a reasonable amount of time or acts in bad faith;

o a person who is criminally convicted in connection with the conduct or who made false statements or provided false information; or

o employees of certain U.S. government agencies (SEC, Public Company Accounting Oversight Board, Comptroller of Currency, Board of Governors or Federal Reserve, Federal Deposit Insurance Corporation, Office of Thrift Supervision, law enforcement organizations).

What does “voluntary” mean? Under the implementing regulations, the information

must be provided in advance of a formal or informal agency request to the individual or his/her representative. (Requests to the entity employing the individual do not defeat individual eligibility, nor does having been interviewed in an internal investigation where no government request has been made.)

What does “original information” mean? Information must be provided after July 21, 2010, the date of enactment of Dodd-Frank; the provision is not retroactive. Information reported must also be based on independent knowledge or analysis, and cannot from publicly available sources. However, if does not have to be first-hand information. The implementing regulations include multiple exclusions, many paralleling who a qualifying whistleblower can be. Under these provisions, original information cannot be:

Information obtained through privileged communications (assuming the privilege has not been waived, or disclosure is permitted by relevant rules);

Information obtained through a legal representation, thereby barring attorneys and those working for/with them, including experts and accountants, from making claim on their own behalf (although they can claim on behalf of their client);

Information received by independent auditors regarding the client and its personnel;

Information received by legal, compliance, audit, supervisory or governance personnel for purposes of causing the entity to respond or for purposes of addressing potential non-compliance with laws; this exception only applies, however, if the entity in question does not disclose the non-compliance within a reasonable period of time or the entity acts in bad faith (e.g., by destroying evidence, hindering the internal investigation);

Information secured through violation of federal or state criminal laws; or Information obtained from anyone subject to any of the preceding

exceptions (an anti-evasion rule).

- 17 -

It is important to note that under the implementing regulations, the information need not be entirely new/original. Even if the SEC has some information about the matter, the “originality” requirement may still be deemed to be satisfied if the information provided is independent and materially contributes to the case.

What types of collections does the term “monetary sanctions” encompass? Monetary sanctions that count against the $1 million threshold cannot include awards against whistleblowers themselves or amounts paid by companies based substantially on whistleblower conduct. They can, however, include disgorgement amounts calculated based on benefits received (standard fare in SEC FCPA settlements today) as well as penalties and interest.

What does “led to successful enforcement” mean? Under the implementing regulations,

a distinction would be made between new cases and already opened cases at the SEC. As to the latter, the information would have to make a “significant contribution” to the outcome, while for a new case, it would be sufficient if the case is based at least in part on the information provided by the whistleblower.

What are criteria for the amount of the award? The statute specifies three criteria, while the implementing regulations add a fourth. The three statutory criteria are: (1) the value of the information provided, (2) the amount of assistance provided, and (3) the programmatic interest in deterrence through awards. The fourth criterion is whether the award otherwise enhances the SEC’s ability to enforce laws, protect investors, and encourages submissions of high quality information by whistleblowers.

What are the provisions regarding confidentiality? Under the implementing regulations, the SEC generally maintains the identity of the whistleblower in confidence. Exceptions include when disclosure is required in court proceedings, and disclosure to DOJ or certain other regulatory agencies, state criminal authorities, as well as foreign authorities. However, the rules permit anonymous submissions to be made through attorneys, subject to certain verification requirements on the part of the attorneys. Prior to any award, however, disclosure of the whistleblower’s identity is required.

What is the process for making claims? The implementing regulations set out a process

involving the following steps:

o First, submission of a TCR (Tip, Complaint, Referral) form by fax or electronically through the web to the SEC’s Office of Whistleblower Protection;

o Second, in order to qualify, the whistleblower must submit a form WB-DEC form (under penalty of perjury); if the whistleblower does so within 90 days after submission to other authority or to company compliance personnel, s/he will qualify for the earlier submission date;

o After the enforcement action has concluded, the Whistleblower Office will issue a public notice of the qualifying resolution; and

o At that point the claim process starts; WB-APP is the proposed claim form.

- 18 -

Companies are prohibited from impeding whistleblower communications with the SEC, including through enforcement of confidentiality agreements.

Will there be any appeal rights? The SEC will have complete, unreviewable discretion as to where in the 10 to 30 percent range of mandatory awards a claim should be fixed. Its decisions whether to make any award, and to whom, will be appealable, however. The implementing regulations require that the SEC take into account factors such as the timeliness of the whistleblower’s report, and his or her engagement with the employer’s internal reporting mechanisms.

Are whistleblowers immune from prosecution? Whistleblowers have no amnesty from prosecution. Thus, whistleblowers who blow the whistle on their own conduct are not guaranteed immunity. However, it seems likely their disclosure could affect enforcement agencies’ exercise of prosecutorial discretion, including in terms of whether to prosecute the individual, what charges to bring, and to what extent to grant penalty mitigation predicated on the disclosure.

What is the impact of Section 922 on corporate compliance programs? Many concerns have been raised about the effect of Section 922 on companies’ internal reporting mechanisms, such as hotlines and the like. The implementing regulations have tried to address this concern in two ways: first, by treating the date of reporting to the SEC as date of internal reporting, provided the employee provides the same information to the SEC within 120 days (preserving a place in line); and second, by requiring the SEC to consider higher percentage awards to persons who first report information through effective company compliance programs. According to the SEC’s 2014 Annual Report on its whistleblower program, fully 80% of the insiders making reports to the agency first reported their concerns internally to their employer.11 If this trend continues, it is encouraging.

These same provisions also create a powerful incentive for companies to self-report

within 120days in any circumstance where they cannot rule out the possible presence of a whistleblower. However, 120 days will seldom be adequate time to conduct an FCPA internal investigation. Accordingly, companies find themselves forced to make more “placeholder” disclosures, and investigators feel pressure to make an early assessment regarding the seriousness of alleged misconduct and begin remediation.

What other effects are the whistleblower provisions likely to have? Besides the question

of the effect on corporate compliance programs and self-reporting, the whistleblower provisions are likely to have other important effects on how companies deal with their personnel. For example, confidentiality agreements between the company and employees, which are not infrequently entered into, could run into enforcement problems. If such agreements are

11 US Securities and Exchange Commission, Annual Report on the Dodd-Frank Whistleblower Program for Fiscal Year 2013 (Nov. 201), available at http://www.sec.gov/about/offices/owb/annual-report-2014.pdf.

- 19 -

perceived as interfering with a company’s communications with SEC, an attempted to enforce them may be prosecuted as a violation of the securities laws.

The SEC’s 2014 Annual Report indicated it received 3,620 whistleblower tips, a modest increase over 2013 reports (3,238). FCPA-related tips also increased, with 159 reports (or 4.4% of the total) classified by reporters as FCPA-related, versus 149 in 2013. The SEC received whistleblower reports from 60 countries, totaling 448 non-US-originated reports. The greatest number of 2104 reports originated from the United Kingdom (70), followed by India (69) and Canada (58).

The SEC has made fourteen awards to whistleblowers since the inception of the whistleblower program under Dodd-Frank, with nine of the awards occurring in 2014. Notably, four awards have been made to whistleblowers living in foreign countries. A record $30 million was awarded to one whistleblower. Additionally, an in-house compliance professional received an award of $300,000, while a person who reported misconduct to the SEC after the company failed to address the issue internally was awarded $400,000.

F. Dodd-Frank Anti-Retaliation Provisions

In addition to the whistleblower bounty provision, Dodd-Frank has added anti-retaliation

provisions to the federal securities laws that protect employees from retaliation for whistleblowing activities. Dodd-Frank Sections 922(h), adding section 21H of the Securities Exchange Act of 1934, and 929A. The scope of these protections, and in particular their application to foreign national employees of foreign subsidiaries, has been the subject of litigation.

The SEC filed its first action alleging violations of the anti-retaliation provisions against

a hedge fund that demoted an internal reporter; the hedge fund was ultimately fined $2.2 million.12 The head of the SEC whistleblower office has also identified retaliation cases as “a priority” for the SEC.13

Litigation has focused on two key issues as to whether whistleblowers are afforded anti-retaliation protections: (1) whether the whistleblower must report to the SEC to gain protections or whether internal reporters are also protected; and (2) whether foreign reporters are protected. Regarding the first issue, the SEC has filed amicus briefs discouraging other courts from adopting the Fifth Circuit’s holding in Asadi v. G.E. Energy (USA), LLC14 that whistleblowers must report directly to the SEC to be protected by Dodd-Frank’s anti-retaliation provisions. The SEC argued in those cases that the Asadi decision was unduly narrow and that individuals need

12 http://www.sec.gov/litigation/admin/2014/34-72393.pdf 13 http://www.law360.com/articles/587847/sec-whistleblower-head-to-punish-cos-that-

silence-tipsters 14 Asadi v. G.E. Energy (USA), LLC, No. 12-20522 (5th Cir. July 17, 2013), available at

http://www.ca5.uscourts.gov/opinions/pub/12/12-20522-CV0.wpd.pdf.

- 20 -

not report to the SEC to gain anti-retaliation protection.15 Additionally, while no other federal appellate court has decided the issue to date, district courts around the country have reached conflicting conclusions.16 Courts also have been hostile to foreign whistleblowers: in August 2014, the Second Circuit held that Dodd-Frank’s anti-retaliation provisions do not apply extraterritorially and foreign whistleblowers are therefore not protected.17

G. Other

There are many other provisions of Sarbanes-Oxley that are relevant to FCPA internal investigations, including the obstruction of justice provisions of Sections 802 and 1102 of the Act, the requirements for auditors to retain work papers in Section 802, and the whistleblower protection provisions of Section 806.

In the post-Enron and post Dodd-Frank world, companies must take special care not to engage in conduct that would suggest obstruction of justice, by destroying documents or otherwise. This is as true in the FCPA context as it is in other corporate compliance contexts. In the FCPA context, however, the challenges in avoiding obstructions risks are more acute due to the FCPA’s transnational character. Implementing document preservation orders in remote foreign subsidiaries may be a considerably greater challenge than doing so in the United States. Investigators may encounter cultural attitudes towards cooperation and openness that are deeply ingrained and make the task of preserving evidence and uncovering the facts much more difficult. In many countries, for instance, reporting adverse information on one’s superiors is not culturally acceptable. Special attention will therefore have to be given to risk management in this arena.

CONCLUSION

This paper has focused on the particular aspects of FCPA internal investigations, how recent changes in corporate governance and whistleblower rights are affecting the already

15 Safarian v. American DG Energy Inc. and Multiservice Power Inc., No. 14-2734, Amicus Brief of the Securities and Exchange Commission in Support of the Appellant, Dec. 11, 2014 (3rd Cir.), available at https://www.sec.gov/litigation/briefs/2014/safarian-americandg.pdf; Liu v. Siemens AG, No. 13-4385, Amicus Brief of the Securities and Exchange Commission in Support of the Appellant, Feb. 20, 2014 (2nd Cir.), available at https://www.sec.gov/litigation/briefs/2014/liu-siemens-0214.pdf.

16 See Banko v. Apple Inc., 2013 U.S. Dist. LEXIS 149686 (N.D. Cal. Sept. 26, 2013) (siding with Asadi); but see Kramer v. Trans-Lux Corp., 2012 U.S. Dist. LEXIS 136939 (D. Conn. Sept. 25, 2012); Connolly v. Wolfgang Remkes, 2014 U.S. Dist. LEXIS 153439 (N.D. Cal. Oct. 28, 2014) (siding with “a large majority of district courts before and after Asadi” in deferring to the SEC’s reasonable interpretation of the act as protecting internal reporters).

17 Liu v. Siemens AG, 763 F.3d 175 (2d Cir. N.Y. 2014).

- 21 -

challenging world of FCPA internal investigations. Although recent years have made the true internal investigation something of a threatened species, one must wonder to what extent the trend towards increased voluntary disclosure will be sustainable. Certain changed factors in the FCPA’S operating environment undoubtedly make it more likely than it was in the past that corrupt conduct will come to light. On the other hand, the multiplication of enforcement and liability risks, and the absence of clear benefits resulting from disclosure, make the voluntary disclosure decision even more difficult than it has been historically. Whether or not there is disclosure, FCPA internal investigations need to be structured and managed for credibility, efficiency, and effectiveness. With potential whistleblowers in both domestic and foreign operations, the need for proper investigation becomes even more acute than it was previously.

- 22 -

ATTACHMENT A

Checklist of issues to Be Considered in Launching an FCPA Internal Investigation

• Are the allegations of FCPA violations credible or questionable? For example, is the source a credible one? Do the allegations need to be tested, and if so, how, before a decision to conduct a full investigation can be taken?

• Are there ongoing activities that need to be halted/frozen pending any investigation to minimize the risk of further violations?

• What steps need to be taken to preserve documents and where?

• Who should conduct the investigation? Inside counsel? Outside counsel? Regular outside counsel or special outside counsel, to provide an additional layer of independence? What is necessary for FCPA outside counsel to be considered independent?

• To whom should the investigators report? Management? The Audit Committee of the Board (for publicly-traded companies and those private companies that have them)? The full Board? Some combination of these?

• Who is the client? Is there a need for representation of multiple persons? Should there be joint or separate counsel? If joint, on what terms?

• What Legal Department resources are necessary to support, direct, and coordinate with outside counsel?

• What other resources need to be involved, internally or externally? Audit, forensic accounting, local counsel, security personnel, public relations, other (e.g., translators)?

• Who should not be involved (for example, because they are potentially implicated)?

• What should the scope of the review be, in temporal, geographic, or other terms?

• Where foreign operations are involved, what is the U.S. parent’s degree of control over that operation?

• To what extent should the investigation be structured to maintain privileges (attorney-client and work product); to what extent has the ability to do so been compromised by prior non-privileged disclosures?

• Are there imminent risks of third-party disclosure (e.g., whistleblowing) that will affect timing and strategy, including disclosure?

- 23 -

• Where is the documentary evidence and how can it best be gathered? To what extent has evidence been lost, destroyed, or compromised already? Are there imminent document destruction dates?

• What is the extent to which electronic communications, especially e-mail, may be involved and how does the accessibility of that information differ from the paper documents?

• Where are relevant witnesses? To what extent are they under the company’s control? To what extent are they accessible? Who are the priority witnesses to interview?

• What should the sequencing of document-gathering and review and witness interviews be?

• Are there immediate disclosure obligations? To whom and of what? Under U.S. local law? Local law? To lenders? To other third parties?

• What areas need to be addressed as a matter of priority, either because of the possibility of continuing violations, changes in circumstances, deadlines, possible third-party issues, or the like?

• What factual background is necessary to effectively pursue the investigation? For example, what needs to be known about corporate structure, lines of reporting, the business activity at issue, the country or countries at issue?

- 24 -