Foreign Corrupt Practices Act (FCPA, or “The Act”) enforcement continues to be one of the top priorities for the U.S. Department of Justice (DOJ) and the U.S. Securities and Exchange Commission (SEC), and the Biden administration has been vocal about its commitment to Anti-Corruption/Anti-Bribery (ACAB) efforts. Recent remarks made by DOJ Deputy Attorney General Lisa Monaco are succinctly described in Sidley’s white paper, “Making Sense of DOJ’s New Monaco Memo on Corporate Enforcement,” as a “substantial shift toward a more aggressive approach in corporate crime matters,”[1] especially in terms of the expectations for corporate internal investigations, which include:
-
“cooperation credit and the ‘timely’ disclosure of information learned in internal investigations”;
-
scrutiny of discrete corporate policies—including executive compensation policies—in assessing compliance programs;
-
delaying corporate resolutions until DOJ’s investigation of individuals is completed; and
-
guidance for corporations with prior misconduct resolutions.
Furthermore, in December 2021, the Biden administration released its United States Strategy on Countering Corruption.[2] This strategy consists of five “pillars” as follows:
-
“modernizing, coordinating, and resourcing U.S. Government efforts to fight corruption;
-
“curbing illicit finance;
-
“holding corrupt actors accountable;
-
“preserving and strengthening the multilateral anti-corruption architecture; and
-
“improving diplomatic engagement and leveraging foreign assistance to advance policy goals.”
Additional DOJ and SEC publications include A Resource Guide to the U.S. Foreign Corrupt Practices Act (“The Guide”), which states in the introduction that “The Act was intended to halt corrupt practices, create a level playing field for honest businesses, and restore public confidence in the integrity of the marketplace.”[3] The Guide also describes how The Act contains accounting provisions applicable to public companies designed to “strengthen the accuracy of the corporate books and records and the reliability of the audit process which constitute the foundations of our system of corporate disclosure.”[4]
These past and present efforts have resulted in record-breaking criminal and civil fines, penalties, and sanctions for FCPA violations. Thus, it is imperative that organizations take steps to understand their specific risks related to FCPA and other ACAB violation prevention, mitigation, investigation, and remediation. These steps must lead to an understanding of your FCPA risk profile, including:
-
organizational vulnerabilities;
-
compliance (and noncompliance) history; and
-
business partners and other third parties.
Regulatory scrutiny, investigation, and enforcement because of lax ACAB controls can be costly, disruptive to your business operations, and damaging to your reputation. Understanding, monitoring, and managing these risk factors means reduced risk of incidents and control over the response in the event of noncompliance.
Once the risks have been assessed, they must be monitored, and the corresponding internal controls periodically audited. In this article, we will look at how to develop an FCPA/ACAB compliance audit of your books and records for red flags that may have gone undetected by traditional financial audits.
Before conducting any FCPA compliance audit planning, organizations should consider that this type of compliance audit be led by internal and/or external counsel, as the audits may need to be conducted under attorney–client privilege. This topic is lengthy enough to warrant a second article written by a lawyer and not an auditor, but at a minimum, ensure adequate training is provided for all FCPA compliance auditors that include invoking, maintaining, and protecting privilege; work product protections; the difference between “privileged” and “confidential”; appropriate documentation of findings; interview protocols; and limiting distribution of privileged or confidential information.
Audit Step 1: Assess risks
A risk assessment should be the first step in your audit plan. Understand your company’s ACAB risk profile based on a specified set of risk factors and data collected for each factor. These will vary from organization to organization but should include, at a minimum, the following quantitative and qualitative risk factors:
-
Location risk: Where are your operations? There are several trusted organizations that publish perceived corruption risk by location, such as Transparency International’s latest Corruption Perceptions Index.[5]
-
Government links and affiliations: What is the level of interaction with government officials expected in any given location? This could include processing visas and immigration documents; customs clearance; building permits; occupancy licenses; fire safety inspections; local police response; and other needed government touchpoints.
-
Business partner risks: You have probably heard before that “we cannot do indirectly through a third-party business partner what we are prohibited from doing directly.” The majority of recent FCPA enforcement actions involve bribes paid by third-party business partners. Conduct sufficient due diligence and follow up on any red flags identified. In addition to vetting business partners to determine if they pose an ACAB risk, ensure appropriate and transparent contract provisions, and continue to monitor the third party for the life of the relationship.
-
Previous complaints and whistleblower allegations: If there were any red flags previously identified, ensure they were investigated and remedied and no longer pose a risk to the organization.
-
Existing internal audit plan risk rating, if available: If there is an audit plan already in place that uses other factors to determine the risk profile of a specific location, use those assessments to supplement ACAB-specific risk identification. For example, an area that has been flagged by internal audit as higher risk due to poor financial controls may be indicative of other compliance-related issues.
-
Technology: Centralized oversight of financial activity may lower a location’s risk profile as it can be monitored by internal audit and other departments from a central location as needed.
Audit Step 2: Collect data and review transactions
As noted above, if technology allows centralized oversight of financial records, this is extremely helpful in the audit planning process and should be leveraged accordingly. Whether or not financial records can be analyzed in advance of the audit or only once onsite, financial records included in the scope of the audit should have the following:
-
General ledger
-
Invoices
-
Expense reports
-
Accounting entries
-
Requests for payment
-
Wire transfer messages
-
Contracts
-
Bank account reconciliations
-
Petty cash vouchers
It is important to note that improper payments can be mischaracterized as consulting fees, commissions, travel and entertainment expenses, rebates or discounts, write-offs, petty cash withdrawals, and sales and marketing expenses, among others. It is also important to note that there is no materiality requirement for a violation of most anti-corruption laws, including the FCPA and United Kingdom Bribery Act, so there should not be any thresholds in place when selecting transactions for on or offsite testing.
Wherever possible, use audit analytics to mine available data for red flags. These may include:
-
Payments to one-time vendors
-
Duplicate payments or invoice numbers
-
Round-dollar amounts
-
Payments to “offshore” accounts
-
Payments to foreign vendors
-
Use of cash for unauthorized purposes
-
Split payments that may be keeping an unauthorized transaction under automated approval amounts
-
Keywords such as those shown in the table below, translated into as many languages as needed
As useful as audit analytics are, they are no match for the professional skepticism of an experienced compliance auditor. A manual review of financial records should be conducted to uncover potentially hidden improper activity. This activity can be hidden in payments such as:
-
Payments submitted to parties or accounts that do not match the party identified on the invoice
-
Vendors who may provide services in connection with government business that does not provide sufficient detail on invoices
-
Payments to third parties with no details provided
-
Payments to vendors without supporting documentation related to goods or services provided or for services that do not match the vendor’s business offerings
Other suspicious activity to flag includes vague or insufficiently detailed invoices, invoices containing statements of work that do not match the work performed, and payments that just don’t appear to be reasonable. For example, an invoice for $5,000 for a typically inexpensive item, like a notebook.
A further review of the transactions associated with high-risk trial balance accounts should also be undertaken. These accounts should include charitable contributions, consulting fees, licenses and permits, government-related (e.g., fire, police, immigration), gifts, customs and import duties, taxes, and facilitation payments (if your ACAB policy allows).
Audit Step 3: Conduct interviews
Although described here as Step 3, ideally, interviews would be conducted before beginning any onsite audit work. Despite a comprehensive audit planning process, a statement made during an interview can sometimes change the entire audit plan. An experienced audit team should be prepared to pivot as needed in response to red flags identified during the interview process.
Caution: If red flags are uncovered that were not reviewed during the planning process, consider going “pencils down” until next steps are discussed with your legal department or outside counsel.
There are many benefits to conducting extensive interviews prior to commencing transaction testing. Interviews with local resources can help the auditors understand local business processes, identify additional accounts, transactions, and red flags for focused testing, assess understanding of company compliance policies and identify areas for further training, and inquire about risk areas such as interactions with government officials and procurement and disbursement processes.
During the planning phase, identify risk areas by department and adjust interview questions accordingly. For instance, questions that could be asked during an interview with a human resources source could include topics such as: how anti-corruption training is provided to new employees upon hire and throughout their employment; whether other policy training is provided, such as code of conduct and anti-harassment; whether there is an anonymous reporting channel for employees to report potential wrongdoing; and how visas, immigration permits, etc., are processed. Questions for a supply chain resource could include requesting a description of the processes followed to onboard a new vendor; what the bidding process consists of, if applicable; and how potential conflicts of interest are addressed.
Before conducting any interviews, consider the local culture and language. Topics such as bribery and corruption may be uncomfortable for some people, so translation assistance may be needed. As with any audit interview, it is necessary to listen carefully, probe and challenge respectfully, build rapport, and detect deception. The FCPA audit interview can be vital in uncovering issues related to any ethics and compliance concern—not only ACAB.
Audit Step 4: Prepare report
Documentation and reporting content, format, and results of an FCPA/ACAB compliance audit should be discussed well before conducting any fieldwork, preferably with legal and compliance team guidance on how best to present information and navigate through any potentially problematic findings.
If a written audit report is considered, traditional audit ratings may not be appropriate. Below are some ideas to consider if audit ratings might be effective for your organization’s goals.
|
Rating guidelines | ||
|---|---|---|
|
Low |
Medium |
High |
|
Compliance with key company policies and procedures |
Less than substantial compliance with key company policies and procedures |
Noncompliance with key company policies and procedures. Examples include: |
| Compliance with management contract terms |
Less than substantial compliance with management contract terms |
|
|
Anti-corruption training completed by managers and above |
Overall awareness of anti-corruption policies, but no formal training provided for managers and above |
|
|
Code of conduct annual certifications completed annually by existing associates and required for onboarding new hires |
Key contracts do not have anti-corruption provisions |
|
|
Due diligence requested and completed on vendors that interact with the government on company’s behalf |
No due diligence completed on vendors that interact with government officials on company’s behalf |
|
|
Procurement procedures are conducted in accordance with company policy |
Unsupported journal entries not related to high-risk transactions |
Pervasive internal controls weaknesses identified |
|
Some procurement procedures are not conducted in accordance with company policy |
Significant noncompliance with key management contract terms | |
| Some internal controls weaknesses identified |
Manipulation of financial data, fraud, theft, or obstruction of the audit process noted | |
Conclusion
In summary, FCPA/ACAB audits are a key part of an effective anti-corruption program, which should already include a clearly articulated organizational ACAB policy, oversight of compliance with policies, standards, and procedures at a senior level, effective communication (including to external parties) of compliance policies, standards, and procedures regarding the FCPA and applicable foreign anti-corruption laws, including regular training and annual certifications, a reporting system or “speak-up” line, appropriately designed internal accounting controls, appropriate disciplinary procedures for noncompliance, and standard due diligence procedures and anti-corruption contract clauses with respect to new business relationships.
Takeaways
-
Current regulatory efforts indicate that significant resources and efforts will be focused on enforcing the Foreign Corrupt Practices Act (FCPA).
-
Periodic FCPA and Anti-Corruption/Anti-Bribery (ACAB) compliance audits are a powerful tool for monitoring the effectiveness of your organization’s ACAB compliance program.
-
It is imperative that any ACAB audit planning begins with a focused ACAB risk assessment.
-
ACAB-related transaction testing cannot be conducted similarly to financial statement audit transaction testing. There is no materiality requirement for most ACAB laws.
-
ACAB audits may result in internal remediation efforts or the self-reporting of issues. As such, the entire process should be a collaborative effort among legal, internal audit, and compliance teams.
