ForThoughts — Edition 4
Issues in forensic accounting
Some of the Leading Practices in FCPA Compliance
Author: Nina Gross, director, Forensic & Dispute Services, Deloitte Financial Advisory Services LLP
The Foreign Corrupt Practices Act of 1977 (FCPA) is intended to prohibit U.S. companies (and foreign issuers that trade stock or American Depository Receipts — ADRs — on U.S. stock exchanges) from obtaining business or an unfair business advantage through illicit means. The FCPA prohibits bribery of foreign officials, and requires companies to maintain accurate books and records and a system of internal controls designed to identify suspect payments.
Many organizations, including those of modest size and complexity that are doing business overseas, are potentially vulnerable to FCPA risk. Furthermore, U.S businesses are expanding in countries that are perceived to be more vulnerable to corruption risk. China, India, and Brazil, for example, rank in the bottom two-thirds (72nd) of 180 countries on Transparency International’s 2007 Corruption Perceptions Index, while Russia and Indonesia are rated nearly twice as corrupt, landing at 143rd on the list.
Since 2001, a surge in FCPA enforcement actions by the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) have resulted in criminal convictions of companies and individuals, substantial fines, disgorgement of profits and reputation damage to numerous U.S. multinationals. Companies are clearly taking notice. Awareness of the FCPA and the need to scrutinize internal processes and resources and overseas operations is at an all-time high. More and more companies, both U.S. and non-U.S, are asking: What kind of compliance program do I need? What is missing from the program I have? Am I operating in certain countries that pose greater risk than others? What is the risk of doing business with State Owned Enterprises? What is my exposure if I do business through a joint venture partner or an agent? What are my legal risks from a corruption regulatory standpoint?
What makes FCPA compliance particularly challenging is that violations are not necessarily obvious. Matt Birk, a partner in Deloitte Financial Advisory Services LLP, explains that uncovering potential FCPA violations is not as simple as looking for bags of cash dropped at covert locations.
“Many recent FCPA violation disclosures involve complicated webs of third parties, charities, sales agents and joint ventures,” Birk says. “Pinpointing fraudulent activity in these transactions is a challenging undertaking, but if companies take precautions to ‘look before they leap’ and learn where to look, they can greatly enhance their odds of preventing and detecting potential violations.”
As one would expect, companies’ levels of FCPA awareness and compliance and control activities vary widely. Some have well-established programs in place and are refining them based on current enforcement trends. Others are running at breakneck speed to catch up. Regardless of where companies fall on the compliance continuum, certain leading practices can help mitigate risk and provide evidence of good faith effort that may ease government penalties should problems emerge.
What is most important is that a company invests in a program that can adjust to the changing business environment and evolving business risks. You may want to consider some of the following leading practices as a starting point.
1. Set the tone at the top.
Make it clear throughout the organization that there’s a right way and a wrong way to do business, and the wrong way will not be tolerated. In many organizations, this is happening naturally as boards of directors become more aware of the business risks and personal liability the FCPA imposes and start asking questions about the company’s compliance efforts. That tone at the top funnels downward, compelling staff from the office of general counsel and compliance to the chief financial officer and finance, and ultimately to the people on the ground — the sales, marketing and business staff — to focus on what can be done to reduce exposures, detect and remediate problems, enhance training, and ultimately run the business more effectively from a compliance standpoint. Even something as simple as a memo from the chief executive officer to all employees, stating the company’s policy against bribery and reinforcing the expectation that everyone must comply with that policy and all applicable laws, is a useful tool.
2. Launch a collective effort.
It may be tempting to label an FCPA compliance program a “legal” issue or an “audit” issue, but a more effective practice is to treat it broadly as a collective effort involving various departments including Legal, Compliance, Internal Audit, Finance, Risk Management, and Human Resources. This approach can take better advantage of internal resources, who can develop an efficient program encompassing training, transaction testing, forensic audits, risk assessments and more. The groups’ collective knowledge, and their understanding of the organization and the people the organization does business with, can only help in identifying where the exposures are and how to improve a compliance program.
3. Train, train, train.
Training employees on what is acceptable and unacceptable under the FCPA is critical — not only in English, but in the native tongues of the countries where a company operates. Training the trainers, so people who work in those offices can train others on a regular basis, is also beneficial.
Richard Grime, a partner in the Washington, D.C., law firm O’Melveny & Myers, explains that the most effective training is user-friendly.
“It’s no fun as an employee getting a 50-page handbook written in legalese with confusing terminology and no way to interpret it in regular language,” says Grime. “What’s needed is a comprehensible, short, focused booklet on the FCPA with real-world examples so that employees can understand how to react in particular circumstances. Smart Q&A, encompassing frequently asked questions, is particularly helpful as a format for FCPA training.”
Such learner-friendly training increases the likelihood that employees will buy into the program, understand it and appreciate it. Confirming that employees understand the rules has a twofold benefit: (1) It helps to increase compliance and avoid problems, and (2) if the government does find a problem, companies can demonstrate that it was a clear violation of the standard procedures covered in training.
4. Place resources on call.
Just as important as proper training is having a “go to” resource available when employees have questions or concerns about an interaction with a foreign official. Depending on where the experience resides in your company, that resource may be in the United States or in the foreign country. Having someone who can answer questions and sensitizing employees so that they always inquire if they have any uncertainty about a situation can go a long way in helping to eliminate problems.
5. Anticipate potential pain points.
The areas where your company interacts with a government employee in a foreign country are some of the obvious areas of potential risk. Once you understand where those intersection points are, you can begin to implement risk-lowering mechanisms. The key is to think beyond some of the obvious circumstances where the foreign government is your customer. For example, are you interacting when you set up a factory or when you bring in workers to that factory? Do you import materials into the country? If so, how do you get them through customs? Once through customs, how do you get them to the factory; and once there, do they need special government authorization to bring them into the factory? These are some of the important issues to understand; any intersection with the government may expose you to FCPA risk.
Similarly, certain divisions or functional areas within companies can be more at risk than others. U.S.-based factory personnel, for example, are not likely to interact with foreign officials. But sales agents and others working in foreign markets, such as a local plant manager or the person who deals with renting your premises, may well be interacting with foreign officials. Finance personnel can be critical in finding and monitoring these “touch points,” because these are the people who approve payments, track payments and see the pattern of payments. They can alert you early on to potential problems, such as missing signature approvals or suspicious payments.
You should know your potential trouble spots. You may want to be particularly vigilant in training and watching over employees in business development, marketing, sales, government relations and other areas that touch customers, and also those who interact with foreign governments in the regulatory arena, in the tax and customs arena, and in the finance arena.
6. Use Internal Audit to test and tune.
It’s one thing to have policies and written documents; it’s something else to know if they’re working. That’s where your company’s Internal Audit department can come in, because it can measure the implementation and the effectiveness of those policies to know if they are being applied appropriately and adequately. As Richard Grime explains, one of the critical benefits of testing is that it demonstrates a good “tone at the top” effort. Another is that it facilitates making changes to the compliance program to make it more effective.
“Testing shows that the organization takes compliance seriously and is aware that simply implementing a program is not enough,” Grime says. “Testing allows you to dig deeper into the organization and uncover issues that you wouldn’t know of otherwise, and tailor your compliance program to suit, accommodating changes in business lines, business models, practices in particular countries and the like.”
Testing can answer questions such as: Is there proper segregation of duties? Are there sign-off approvals where necessary? Are payments being made to petty cash that should not be made? Can I identify all my vendors? Do I know my government customers? In addition, traditional FCPA red flags should also be examined, including certain types of accounts such as travel, entertainment, gifts, contributions, lobbying expenses, rent, petty cash, commissions, and payments to agents and third parties. These may have more prominence in some countries than others, but having a regular “deep dive” analysis of these particular accounts helps companies understand the flow of funds, how money is being used, who third-party players are, whether there are proper agreements with them, and whether their services are aligned with those agreements. Such testing can provide management with an indication of the operating effectiveness of the company’s compliance program and highlight potential areas for remediation.
No One-size-fits-all Solution
In many instances, leading practices should be tailored to the company’s real and perceived risk of occurrence, the environment in which the company operates and the corporate infrastructure. However, even allowing for these differences, Grime notes that most companies that take compliance seriously seem to apply similar leading practices:
“Most companies I’ve seen deploy people in key regions who have the knowledge and the experience to help that business deal with the issues as they arise,” Grime says. “They tailor their particular compliance policies to that specific region, and with that in mind they bring in dollar limits or local currency limits for approvals. They have everything properly translated. They understand how particular governments in particular regions work. And they understand the pressure points where bribes or improper payments are most likely to be requested.”
Grime notes that these companies recognize that circumstances are not the same everywhere in the world, but their corporate FCPA policy as a whole is designed to achieve the objective of avoiding improper payments.
Given that growth in today’s global economy often means venturing into unfamiliar and potentially risky countries, and that the surge in FCPA oversight and enforcement activities can make noncompliance even more risky, this type of mindful, dynamic compliance policy is quickly becoming not only smart business practice but may prove to be essential as well.
Read additional information by Nina Gross on the topic in the article:
Foreign Corrupt Practices Act: Leading Practices to Consider
Nina Gross is a director in the Forensic & Dispute Services group of Deloitte Financial Advisory Services LLP, where she specializes in Foreign Corrupt Practices Act (FCPA) and corruption investigations and enforcement matters She renders investigative, due diligence and compliance consulting services to domestic and foreign firms, with an emphasis on the domestic and foreign corruption rules and regulations and fraud risk assessment and control.