The Justice Department’s Evaluation of Corporate Compliance Programs document, which was released in February, drove home the concept of operationalized compliance. It asked a series of questions designed to determine how well a company had moved compliance into the very fabric of its organization. This document followed a series of Justice Department pronouncements that emphasized whether a compliance program was effective—not only must an organization be doing compliance, but it must also be testing how well it is working, integrating that information back into the compliance program itself, and documenting it.

These key concepts, which the Justice Department has espoused in recent years, all came to bear on a Foreign Corrupt Practices Act enforcement action involving Houston-based Halliburton Inc., which was settled in late July. Although this matter was a civil enforcement action brought by the Securities and Exchange Commission, the same principles articulated by the Justice Department hold forth in civil FCPA enforcement actions brought by the SEC.

In the Halliburton enforcement action, the company had a compliance program that existed on paper but was easily subverted, all in violation of the FCPA. Employees on the ground in countries well known for high corruption risk were able to evade, subvert, and circumvent them to hire a local agent. Additionally, senior management was able to override the internal controls without sufficient explanation or written documentation as required by company policy.

This particular enforcement action hinged on the requirement that when doing business in Angola with the national oil company, Sonangol, an international company must have local content (i.e., locally hired manpower and use of local manufacturing) in the business offering. This type of requirement is widely observed in many areas across the globe; from South America to west Africa to the Middle East to the Far East. This is a typical issue for organizations to deal with and, as such, makes the Halliburton FCPA enforcement action instructive for compliance professionals.

Halliburton’s Angolan business folks needed to have someone fulfill the local content requirement to bid on a series of contract offerings by Sonangol. Their initial position was that any such local content would be an agent of the company. During this timeframe, 2008-09, Halliburton was settling its first FCPA violation and was therefore quite sensitized to bringing on third-party agents. The company had created a robust third-party agent vetting and due diligence process that had not only high visibility within the company but also support literally up to the board of directors.

The Halliburton FCPA enforcement action emphasizes that companies must have effective internal compliance controls. The SEC Order is replete with examples where the company allowed the internal controls to be disregarded, circumvented, or over-ridden.

Unable to bring in local persons as required by Sonangol as agents, the local Halliburton team simply switched the locals over to vendors who would allegedly do work for the company. This allowed them to contract with Halliburton without the vetting and due diligence required as agents. Yet when hiring vendors, Halliburton had controls around this process. Any proposed vendor was required to go through a competitive bidding process to determine the best pricing for the company. This is where the local Halliburton team, however, was able to enter into a non-written contract with the local agent and have him paid without following any of the vetting and due diligence requirements. Indeed, the amount paid to the local agent under this oral contract was even increased at one point. When a written contract was finally put in place, the services required from the local agent were never delivered and the payments continued to be made.

Halliburton also had a method for a sole source contract where the vendor had some unusual skill or technical expertise the company could not find elsewhere. There was, however, no evidence of such capabilities from the local agent. Once again, the local Halliburton team was able to work around the company’s internal controls. Finally when it was determined by internal Halliburton vetting that the local agent was not providing sufficient value to the company from a financial perspective, senior management exercised its prerogative to over-ride the internal controls and retain the local agent. This was another example of how Halliburton’s compliance program was not effective, as senior management did not document any business justification or reason why the internal controls should not be followed. They simply did not follow them.

The SEC Order went into a fair amount of detail on the above internal control failures. One of the key messages from this detail was the robustness of the Halliburton compliance program, on paper and its fallibility in the field. To have an effective compliance program requires multiple steps with not only testing for effectiveness but also cross-checking from other disciplines and functions as a backup line of defense.

In Hallburton’s case, the local business team could manipulate the system to thwart the compliance program’s first line of defense. As a second line of defense, however, regulators might reasonably expect that in the absence of internal approval to contract with a third party, accounts payable or a corporate finance department would have noticed when asked to make payment to a third party that did not have a contract in place. One of the most basic internal controls a company should have in place is that if there is no written contract, accounts payable will not issue payment for services.

Finally, there is the third line of defense: internal audit. But this control also failed through the circumventions mentioned above. As the SEC Order noted, “internal audit was kept in the dark about the transactions and its late 2010 yearly review did not examine them.” This single line clearly demonstrates the inter-connectedness of viewing, reviewing, and testing a compliance program on an ongoing basis. It is no secret that Angola is a country with a high perceived risk of corruption. Even in the most recent Transparency International Corruption Perceptions Index, Angola comes in at number 164 out of 176 countries listed. That alone demonstrates the need for not only robust anti-corruption measures for any business in Angola but also the need for greater vigilance through testing, auditing, and monitoring.

The Evaluation of Corporate Compliance Programs lays out two significant inquiries around testing and ongoing monitoring. Under the heading Internal Audit, it asks:“What types of audits would have identified issues relevant to the misconduct? Did those audits occur and what were the findings?” Under the heading Control Testing, it asks: “Has the company reviewed and audited its compliance program in the area relating to the misconduct, including testing of relevant controls, collection and analysis of compliance data, and interviews of employees and third-parties?”

The Halliburton FCPA enforcement action emphasizes that companies must have effective internal compliance controls. The SEC Order is replete with examples where the company allowed the internal controls to be disregarded, circumvented, or over-ridden. Even the company’s internal audit reports were not followed up when they noted deficiencies in the contracting process. As bribery and corruption schemes become more sophisticated, we will likely see more enforcement actions like this Halliburton FCPA enforcement action. Compliance professionals need to take note that in high-risk jurisdictions, internal controls must be enforced and followed to be effective. Additional auditing, monitoring, and testing should be routinely performed to ensure that policies and procedures are not only in place, but being followed.

Finally, this FCPA enforcement is a civil action brought by the SEC, not a criminal matter brought by the Justice Department. FCPA compliance has always been more than simply not paying (or offering to pay) bribes. The accounting provisions, enforced by the SEC, require a company to have effective internal controls and make accurate representations in its books and records. The bottom line is that the key to staying clear of FCPA enforcement is to build a compliance program that is more than a paper tiger. It has to have real teeth. Halliburton failed to do that, and it is paying the price for it. Any organization would do well to learn from this example.