The Vimpelcom FCPA enforcement action is stunning in its breadth and the brazen nature of the bribery scheme. It is hard to accept that such conduct stretched into 2011 to 2013, given the significant emphasis placed on anti-corruption enforcement in the corporate governance world.

It is easy to ask but hard to imagine how many other major companies are operating with such flimsy attention to compliance and corruption risks. Vimplecom should be used by every practitioner and corporate compliance officer as a sterling example of what can go wrong when a company ignores risks, follows weak internal controls, and permits individual executives the authority to derail properly essential compliance and control functions.

In Part 1, I outlined the concerns with regard to Vimpelcom’s board and its failure to exercise its fiduciary responsibilities. They are not the only party to blame in this mess. Outside counsel provided an inadequate opinion letter based on a failure to identify beneficial owners of the shell company that could have stopped the board from approving the transaction.

Internal Controls

The second most significant question for Vimpelcom is how did the senior executives circumvent internal controls to gain access to the funds needed for the bribery scheme?

As always, the devil is in the details, and the Vimpelcom mess is an important reminder for companies to attend to their financial controls and enforce them as a way to prevent misconduct.

Financial transactions were reviewed and approved without proper diligence and supervision. The payment of $37.5 million as a repurchase guarantee to the shell company begs the question – did the reviewers and approvers ever ask for details as to the beneficial ownership of the shell company? The foreign official at issue was an indirect owner through the shell company of Unitel. Additionally, it appears that delegations of authority in the company were not followed with regard to approval of payments.

Second, a $25 million payment was made to the same shell company for a license for 4G frequencies in Uzbek but again it appears that no one reviewed the transaction for beneficial owners, or noticed that the same shell company as involved in a large transaction.

Third, $32 million in bribes were paid through sham consulting contracts, sham deliverables of little to no quality and invoices that contained huge fees for basic consulting services. All of these red flags in reviewing contracts and payables were ignored or circumvented.

Finally, Vimpelcom made $20 million in bribe payments through arrangements with resellers where the payments were used to convert currency and no services were provided. Again, money went out Vimpelcom’s door without proper regard for ensuring that services were provided and payment were legitimate.

Employee Concerns

Vimplecom’s failure to act was reflected in its response to the employee who raised serious FCPA concerns relating to the Uzbek operation. As detailed in the facts, the employee eventually was able tor each senior management to present his concern but along the way he was told that he would have to resign. In the end, a senior executive who was well aware of the bribery scheme was able to shut down the inquiry.

If you want an explanation for a company’s criminal conduct, its treatment of employee concerns, threatening the employee and forcing him/her to resign is just the tip of the iceberg of a corporate culture committed to crime.

In-House Counsel

I would be remiss if I did not mention the failure of in-house counsel to exercise his/her proper role. As detailed in the factual statement, in-house counsel blessed a due diligence questionnaire and review that failed to disclose the beneficial owners of the shell company. Whether counsel was negligent or turned a blind eye in the face of business pressure and expectations, I cannot say but it certainly was not a moment of glory for the legal profession.

Derailing the Audit Function

Finally, Vimpelcom’s executives were able to shut down an audit of the reseller contracts that would have revealed the shell company’s interest in the transactions. Just like its internal controls, the internal audit function was stone walled and derailed from carrying out its duties.