Category Archives: Foreign Corrupt Practices Act

Using Control to Foster a Culture of Honesty

One of the most frequent questions we seem to receive as practicing CFEs from clients and corporate counsel alike regards the proactive steps management can take to create what’s commonly designated a ‘culture of honesty’. What kinds of programs and controls can an entity implement to create such a culture and to prevent fraud?

The potential of being caught most often persuades likely perpetrators not to commit a contemplated fraud. As the ACFE has long told us, because of this principle, the existence of a thorough control system is essential to any effective program of fraud prevention and constitutes one of the most vital underpinnings of an honest culture.

Corporations and other organizations can be held liable for criminal acts committed as a matter of organizational policy. Fortunately, most organizations do not expressly set out to break the law. However, corporations and other organizations may also be held liable for the criminal acts of their employees if those acts are perpetrated in the course and scope of their employment and for the ostensible purpose of benefiting the corporation. An employee’s acts are considered to be in the course and scope of employment if the employee has actual authority or apparent authority to engage in those acts. Apparent authority means that a third party would reasonably believe the employee is authorized to perform the act on behalf of the company. Therefore, an organization could be held liable for something an employee does on behalf of the organization even if the employee is not authorized to perform that act.

An organization will not be vicariously liable for the acts of an employee unless the employee acted for the ostensible purpose of benefiting the corporation. This does not mean the corporation has to receive an actual benefit from the illegal acts of its employee. All that is required is that the employee intended to benefit the corporation. A company cannot seek to avoid vicarious liability for the acts of its employees by simply claiming that it did not know what was going on. Legally speaking, an organization is deemed to have knowledge of all facts known by its officers and employees. That is, if a prosecutor can prove that an officer or employee knew of conduct that raised a question as to the company’s liability, and the prosecutor can show that the company willfully failed to act to correct the situation, then the company may be held liable, even if senior management had no knowledge or suspicion of the wrongdoing.

In addition, the evolving legal principle of ‘conscious avoidance’ allows the government to prove the employer had knowledge of a particular fact which establishes liability by showing that the employer knew there was a high probability the fact existed and consciously avoided confirming the fact. Employers cannot simply turn a blind eye when there is reason to believe that there may be criminal conduct within the organization. If steps are not taken to deter the activity, the company itself may be found liable. The corporation can be held criminally responsible even if those in management had no knowledge of participation in the underlying criminal events and even if there were specific policies or instructions prohibiting the activity undertaken by the employee(s). The acts of any employee, from the lowest clerk on up to the CEO, can impute liability upon a corporation. In fact, a corporation can be criminally responsible for the collective knowledge of several of its employees even if no single employee intended to commit an offense. Thus, the combination of vicarious or imputed corporate criminal liability and the current U.S. Sentencing Guidelines for Organizations can create a risk for corporations today.

Although many of our client companies do not realize it, the current legal environment imposes a responsibility on companies to ferret out employee misconduct and to deal with any known or suspected instances of misconduct by taking timely and decisive measures.

First, the doctrine of accountability suggests that officers and directors aware of potentially illegal conduct by senior employees may be liable for any recurrence of similar misconduct and may have an obligation to halt and cure any continuing effects of the initial misconduct.

Second, the Corporate Sentencing Guidelines, provide stiff penalties for corporations that fail to take voluntary action to redress apparent misconduct by senior employees.

Third, the Private Litigation Securities Reform Act requires, as a matter of statute, that independent auditors look for, and assess, management’s response to indications of fraud or other potential illegality. Where the corporation does not have a history of responding to indications of wrongdoing, the auditors may not be able to reach a conclusion that the company took appropriate and prompt action in response to indications of fraud.

Fourth, courts have held that a director’s duty of care includes a duty to attempt in good faith to assure corporate information and reporting systems exist. These systems must be reasonably designed to provide senior management and the board of directors timely, accurate information which would permit them to reach informed judgments concerning the corporation’s compliance with law and its business performance. In addition, courts have also stated that the failure to create an adequate compliance system, under some circumstances, could render a director liable for losses caused by non-compliance with applicable legal standards. Therefore, directors should make sure that their companies have a corporate compliance plan in place to detect misconduct and deal with it effectively. The directors should then monitor the company’s adherence to the compliance program. Doing so will help the corporation avoid fines under the Sentencing Guidelines and help prevent individual liability on the part of the directors and officers.

The control environment sets the moral tone of an organization, influencing the control consciousness of the organization and providing a foundation for all other control components. This component considers whether managers and employees within the organization exhibit integrity in their activities. COSO envisions that upper management will be responsible for the control environment of organizations. Employees look to management for guidance in most business affairs, and organizational ethics are no different. It is important for upper management to operate in an ethical manner, and it is equally important for employees to view management in a positive light. Managers must set an appropriate moral tone for the operations of an organization.

In addition to merely setting a good example, however, COSO suggests that upper management take direct control of an organization’s efforts at internal controls. This idea should be regularly reinforced within the organization. There are several actions that management can take to establish the proper control environment for an organization and foster a culture of honesty. These include:

–The establishment of a code of ethics for the organization. The code should be disseminated to all employees and every new employee should be required to read and sign it. The code should also be disseminated to contractors who do work on behalf of the organization. Under certain circumstances, companies may face liability due to the actions of independent contractors. It is therefore very important to explain the organization’s standards to any outside party with whom the organization conducts business.

–Careful screening of job applicants. One of the easiest ways to establish a strong moral tone for an organization is to hire morally sound employees. Too often, the hiring process is conducted in a slipshod manner. Organizations should conduct thorough background checks on all new employees, especially managers. In addition, it is important to conduct thorough interviews with applicants to ensure that they have adequate skills to perform the duties that will be required of them.

–Proper assignment of authority and responsibility. In addition to hiring qualified, ethical employees, it is important to put these people in situations where they are able to thrive without resorting to unethical conduct. Organizations should provide employees with well-defined job descriptions and performance goals. Performance goals should be routinely reviewed to ensure that they do not set unrealistic standards. Training should be provided on a consistent basis to ensure that employees maintain the skills to perform effectively. Regular training on ethics will also help employees identify potential trouble spots and avoid getting caught in compromising situations. Finally, management should quickly determine where deficiencies in an employee’s conduct exist and work with the employee to fix the problem.

–Effective disciplinary measures. No control environment will be effective unless there is consistent discipline for ethical violations. Consistent discipline requires a well-defined set of sanctions for violations, and strict adherence to the prescribed disciplinary measures. If one employee is punished for an act and another employee is not punished for a similar act, the moral force of the company’s ethics policy will be diminished. The levels of discipline must be sufficient to deter violations. It may also be advisable to reward ethical conduct. This will reinforce the importance of organizational ethics in the eyes of employees.

Monitoring is the process that assesses the quality of a control environment over time. This component should include regular evaluations of the entire control system. It also requires the ongoing monitoring of day-to-day activities by managers and employees. This may involve reviewing the accuracy of financial information, or verifying inventories, supplies, equipment and other organization assets. Finally, organizations should conduct independent evaluations of their internal control systems. An effective monitoring system should provide for the free flow of upstream communication.

Bribery & Deferred Prosecution

Between January and February 2015, a prominent trade organization focusing on American attorneys conducted a survey of 243 Chief Legal Officers of global companies to assess the corporate counsel’s opinion regarding the greatest threats to their organization’s growth. Respondents were asked to rank their top three concerns. Not surprisingly, economic uncertainty was at the top of the list with 57% of the respondents ranking it in their top three. The unexpected finding was that 53% of the respondents named regulatory compliance and enforcement as a top concern as well.

When asked to specify which laws caused them the most concern 28% identified the Foreign Corrupt Practices Act and 15% identified the UK Bribery Act. This means 43% of the respondents named anti-bribery laws as one of their top three concerns, more than any other law or regulation identified. When asked about the resources spent on regulatory compliance and enforcement, the response was also surprising as only 38% of the corporate counsel who identified regulatory compliance and enforcement as a threat, are expending resources to address the threat. As a follow up to the 2015 survey, the same organization conducted a second survey in early 2017 to gain further insight into corporate counsels’ ability to address regulatory and compliance threats. This time 256 respondents were surveyed, 62% of whom stated that their organization is designing or building some type of robust internal compliance program. Although this is movement in the right direction, over a third of the organizations surveyed still may not be prepared to detect or deter bribery and corruption. Most significantly, they will not be prepared to meet government expectations if a violation occurs and self-reporting is required. Lastly, 54% of the respondents stated that they are building or expanding their in-house systems to address this threat. Many believe that compliance technology is the appropriate answer as regulators prefer technical solutions to these problems, because they are viewed to be sophisticated and ‘state of the art’.

This research should be of special interest to all CFEs because we work so frequently with corporate counsels, but indeed, to assurance professionals in general who like fraud examiners are on the front line in the fight against corruption.

The Foreign Corrupt Practices Act (FCPA) was enacted in 1977 but aggressive enforcement did not really pick up until around 2005 when there were twelve enforcement actions.  The purpose of the FCPA was to prevent the bribery of foreign government officials when negotiating overseas contracts. The FCPA imposes heavy fines and penalties for both organizations and individuals. The two major provisions address: 1) bribery violations and 2) improper books and records and/or having inadequate internal controls. Methods of enforcement and interpretation of the law in the US have continued to evolve over the years.

The FCPA created questions of definition and interpretation, i.e., Who is a “foreign official?” What is the difference between a “facilitation” payment and a bribe? Who is considered a third party? How does the government define adequate internal controls to detect and deter bribery and corruption?

The enactment of the United Kingdom (UK) Bribery Act in July 2010 was the first attempt at an anti-bribery law to address some of these issues. The UK Bribery Act introduced the concept of adequate procedures, that if followed could allow affirmative defense for an organization if investigated for bribery. The UK Bribery Act recommended several internal controls for combating bribery and introduced the incentive of a more favorable result for those who could document compliance. These controls include:

• Established anti-bribery procedures
• Top level commitment to prevent bribery
• Periodic and documented risk assessments
• Proportionate due diligence
• Communication of bribery prevention policies and procedures
• Monitoring of anti-bribery procedures

The concept of an affirmative defense for adequate procedures creates quite a contrast to FCPA which only offers affirmative defense for payments of bona fide expenses or small gifts within the legal limits of the foreign countries involved.

The UK Bribery Act equated all facilitation and influence payments to bribery. Finally, the UK Bribery Act dealt with the problem of defining a foreign official by making it illegal to bribe anyone regardless of government affiliation. Several countries such as Russia, Canada and Brazil have enacted or updated their anti-bribery regulations to parallel the guidelines presented in the UK Bribery Act. The key to the effectiveness of all these acts remains enforcement.

In November 2012 the US Department of Justice and the Securities Exchange Commission released “A Resource Guide to the Foreign Corrupt Practices Act.” The guide book introduced several hallmarks of an effective compliance program. The Resource Guide provided companies with the tools to demonstrate a proactive approach to deter bribery and corruption. Companies in compliance may receive some consideration during the fines and penalty stage.

The guide’s hallmarks include:

• Establish a code of conduct that specifically addresses the risk of bribery and corruption.
• Set the tone by designating a Chief Compliance Officer to oversee all anti-bribery and corruption activities.
• Training all employees to be thoroughly prepared to address bribery and corruption risk.
• Perform risk assessments of potential bribery and corruption pitfalls by geography and industry.
• Review the anti-corruption program annually to assess the effectiveness of policies procedures and controls.
• Perform audits and monitor foreign business operations to assure compliance with the code of conduct.
• Ensure that proper legal contractual terms exist within agreements with third parties that address compliance with anti-bribery and corruption laws and regulations.
• Investigate and respond appropriately to all allegations of bribery and corruption.
• Take proper disciplinary action for violations of anti-bribery and corruption laws and regulations.
• Perform adequate due diligence that addresses the risk of bribery and corruption of all third parties prior to entering a business relationship.

The SEC and DOJ entered into the first ever Non-Prosecution Agreement (NPA) for Foreign Corrupt Practices violations in 2013. This decision was a harbinger from the DOJ and SEC with regard to future enforcement actions. The NPA highlighted the “extensive remedial measurements and cooperation efforts” that the defendant company demonstrated during the investigation. The corporation paid only $882,000 in fines because they were able to “demonstrate a strong tone from the top and a robust anti-corruption program”.

Under a Deferred Prosecution Agreement (DPA) the DOJ files a court document charging the organization while simultaneously requesting that prosecution be deferred to allow the company to demonstrate good conduct going forward. The DPA is an agreement by the organization to: cooperate with the government, accept the factual findings of the investigation, and admit culpability if so warranted. Additionally, companies may be directed to participate in compliance and remediation efforts, e.g., a court-appointed monitor.

If the company completes the term of the DPA, the DOJ will dismiss the charges without imposing fines and penalties. Under the Non-Prosecution Agreement, the DOJ maintains the right to file charges against the organization later should the organization fail to comply. The NPA is not filed with the courts but is maintained by both the DOJ and the company and is posted on the DOJ website. Like the DPA, the organization agrees to monetary penalties, ongoing cooperation, admission to relevant facts, as well as compliance and remediation of policies, procedures and controls. If the company complies with the agreement, the DOJ will drop all charges.

The key differences between a deferred prosecution case and one not featuring deferred prosecution is the initial response of the defendant company to the discovery of improper payments. In a deferred prosecution case the response usually features prompt self-reporting, full cooperation with the government and the quality of the serious remedial steps taken, including termination of implicated personnel and the modification of company behavior in the country where the violations occurred. Additionally, deferred prosecution defendants frequently discover the improper payments while in the process of enhancing their anti-bribery and corruption controls.

Originally allegations of FCPA violations were received through a company’s internal whistleblower hotline. That trend changed with the enactment of the Sarbanes Oxley Act in 2002 and the Dodd-Frank Act in 2012. These laws created other means and mechanisms for reporting suspicions of illegal activity and provided protections from retaliation against whistleblowers. The Dodd-Frank Act also has monetary incentives of 10% to 30% of the amounts recovered by the government to encourage whistleblowers to come forward. Companies considering whether to disclose potential anti-corruption problems to the SEC must now consider the possibility that a potential whistleblower may report it first to the government thus creating greater liability for the organization.

In conclusion, according to recent reporting by the ACFE, corporate compliance programs continue to mature, and are now accepted as a cost of conducting business in a global marketplace. The US government continues to clarify its expectations about corporate responsibility at home and abroad and works with international partners and their compliance programs. Increased cooperation between the public and private sectors to address these issues will assist in leveling the playing field in the global marketplace. Non-government and civil society organizations, i.e. World Bank and Transparency International play a key role in this effort. These organizations set standards, apply pressure on foreign governments to enact stricter anti-bribery and corruption laws, and enforce those laws. Coordination and cooperation among government, business and civil entities like the ACFE, reduce the incidences of bribery and corruption and increase opportunities for companies to compete fairly and ethically in the global marketplace.

Facilitation or Bribe?

LondonBridge2During our recent live training event on November 12th , Tom Gober, our speaker, alluded to the importance of the U.S. Foreign Corrupt Practices Act as a piece of US government regulation of which it behooves all fraud examiners to be aware. Tom’s reference got me to thinking about the confusion that still persists regarding certain provisions of the Act among corporate players (as reported in the financial trade press following several recent high profile prosecutions). Enacted to great fanfare in 1977, the purpose of the FCPA was to prevent the bribery by the agents of US corporations of foreign government officials when those agents were negotiating overseas contracts. The FCPA imposes heavy fines and penalties for both organizations and individuals. The two major provisions address: 1) bribery violations and 2) improper corporate books and records as well as maintenance of inadequate internal controls. Understandably, methods of enforcement and interpretation of the law in the US have continued to evolve to the present day.

From the first, the FCPA spawned questions of definition and interpretation for those trying to comply, i.e., who is a “foreign official?” What is the difference between a “facilitation” payment and a bribe? Who is considered a third party? How does the government define “adequate” internal controls to detect and deter bribery and corruption?

The United Kingdom enacted its UK Bribery Act in July 2010 which really represented the first real attempt at an anti-bribery law to address some of these issues. The UK Bribery Act introduced the concept of “adequate procedures”, that if followed could allow affirmative defense for an organization under investigation for bribery. The UK Bribery Act recommended several internal controls for combating bribery and offered the incentive of a more favorable result for those who could document compliance. Among the controls:

• Establish anti-bribery procedures;
• A top corporate level commitment to prevent bribery;
• Periodic and documented risk assessments;
• Proportionate due diligence;
• Communication of bribery prevention policies and procedures to all involved parties in corporate transactions;
• Monitoring of anti-bribery procedures.

The concept of an affirmative defense for adequate procedures creates quite a contrast to the US FCPA which only offers affirmative defense for payments of bona fide expenses or small gifts within the legal limits of the foreign countries involved. The UK Bribery Act simply equates all facilitation and influence payments to bribery, thus eliminating much confusion. Finally, the UK Bribery Act dealt with the problem of defining a foreign official by making it illegal to bribe anyone regardless of government affiliation. Several countries such as Russia, Canada and Brazil have enacted or updated their anti-bribery regulations to parallel the guidelines presented in the UK Bribery Act. The key to their effectiveness remains enforcement.

Then, in 2010, the US Department of Justice and the Securities Exchange Commission released a guide book introducing several hallmarks of an effective FCPA compliance program. The publication of the guidebook is a development which, according to Tom Gober, many auditors and CFE’s remain unaware, even to this day. The Resource Guide provides our client companies with the tools to demonstrate a proactive approach to the deterrence of bribery and corruption. Companies found out of compliance may receive some consideration during the fines and penalty stage of their cases.

The guidebook recommends that companies doing business overseas:

• Establish a code of conduct that specifically addresses the risk of bribery and corruption;
• Set the tone by designating a Chief Compliance Officer to oversee all anti-bribery and anti-corruption activities;
• Train all employees to be thoroughly prepared to address bribery and corruption risk and document that the training took place;
• Perform fraud risk assessments of potential bribery and corruption pitfalls by country and industry;
• Review the anti-corruption program annually to assess the effectiveness of policies, procedures and controls;
• Perform audits (routine and surprise) and monitor foreign business operations to assure strict compliance with the published code of conduct;
• Ensure proper legal contractual terms exist within agreements with third parties that address compliance with anti-bribery and corruption laws and regulations;
• Investigate and respond promptly and appropriately to all allegations of bribery and corruption;
• Take proper disciplinary action for violations of anti-bribery and corruption laws and regulations;
• Perform adequate due diligence that addresses the risk of bribery and corruption performed by third parties prior to entering into any business relationship.

Fraud examiners should make their clients aware that a company which can provide evidence of compliance with these recommendations is afforded many advantages if they’re ever charged with a violation of the Act. Among them is a Deferred Prosecution Agreement (DPA). Under a Deferred Prosecution Agreement the Department of Justice files a court document charging the organization while simultaneously requesting prosecution be deferred in order to allow the company to demonstrate good conduct going forward. The DPA is an agreement by the organization to: cooperate with the government, accept the factual findings of the investigation, and admit culpability if so warranted. Additionally, companies may be directed to participate in compliance and remediation efforts, e.g., a court-appointed monitor. If the company completes the term of the DPA the DOJ will dismiss the charges without imposing fines and penalties!

The DOJ and the company may alternatively even enter into a Non-Prosecution Agreement. Under such an agreement the DOJ retains the right to file charges against the organization at a later time should the organization fail to comply. The NPA is not filed with the courts but is maintained by both the DOJ and the company and posted on the DOJ website. Similar to the DPA, the organization agrees to monetary penalties, ongoing cooperation, admission to relevant facts, as well as compliance and remediation of policies, procedures and controls. If the company complies with the agreement, the DOJ will, again, drop all charges.

The good news is that, since publication of the guidebook, corporate compliance programs have continued to mature, and are now generally accepted as just another cost of conducting business in a global marketplace. The US government is continuing to clarify expectations with regard to corporate responsibility at home and abroad, and working with international partners and their compliance programs. Increased cooperation between the public and private sectors to address these issues will assist in leveling the playing field in the global marketplace. Non-government and civil society organizations, i.e. World Bank and Transparency International are playing a key role in this effort. These organizations set standards, apply pressure on foreign governments to enact stricter anti-bribery and corruption laws, and enforce those laws. Coordination and cooperation among government, business and civil entities, reduce the incidence of bribery and corruption and increase opportunities for companies to compete fairly and ethically in the global marketplace. Hence, every fraud examiner and assurance professional should strongly support these efforts while strongly encouraging our clients to comply with the provisions of the 2010 guidebook.

Folding Client Business Partners into the Fraud Risk Assessment

SeattleAs regular readers of the InnerAuditor blog know, out of town members of our RVA ACFE Chapter are encouraged to submit speaker questions via e-mail for use during our live training sessions. A reader asked a series of questions related to ethical practice for our August 28, 2014 event, Ethics 2014 for CPA’s and Fraud Examiners that we’re co-sponsoring with the Virginia State Police and the President of the Tidewater Virginia Chapter of the Institute of Internal Auditors. One of the questions concerned various ethical exposures involving compliance with the U.S. Foreign Corrupt Practices Act and extending to the business partners of the CPA’s audit client. Should a CFE’s fraud risk assessment include due diligence performed on the business partners of the fraud examiner’s client? Turns out there are a number of interesting ethical and due-diligence considerations.

There is certainly such a thing as third party risk, traditionally represented only by a few key suppliers and agents, and now significantly expanded in today’s global market place by technology firms, joint venture partners, foreign stakeholders, consultants and co-marketers and a whole host of others. Joining with every one of these partner types can expose our clients to significant categories of collateral risk. An overseas consultant can pay a bribe on our client corporation’s behalf to a foreign corporation without our client even knowing it; foreign joint venture partners of one of our client’s domestic suppliers can engage in unethical behavior thereby exposing the client to significant corruption accusations and reputational risk; the client’s law firm can pay for expensive vacations for foreign officials during off-shore tax negotiations; and the list of risks and exposures can go on and on, limited only by our imaginations.

Clearly, then, the net of the CFE’s fraud risk assessment has to be cast widely enough to encompass a thorough understanding of the histories and practices of all the business partners conducting business on our client’s behalf. The recent Target corporation example of on-going data breaches facilitated by hacker use of an infrastructure and maintenance supplier to penetrate Target’s customer systems should be enough to convince any practitioner of the degree of fraud risk represented by business partners, whether ethically challenged or not. The idea that customers, agents, resellers and other parties are not part of a client’s operating or risk profile is no longer a defensible position; a new era of corporate and social responsibility (and the stepped up number of prosecutions recently undertaken under legislation like the Foreign Corrupt Act) has changed that notion forever.

I’m sure all our readers are familiar with the basic mechanics of conducting a fraud (or any type) of risk assessment by now. Although criteria may vary from one assessment to the next, each risk assessment requires the steps of information gathering, analysis and interpretation. In the case of the assessment of the degree of risk represented by third party business partners, the first step is critical; that is to schedule up a list of just who those third parties are (sometimes, in the case of medium to large companies, a daunting task in itself). After your list is complete, for each of the partners you’ve identified, see if you can document an answer for a set of questions like these:

–does your risk assessment client have a formal business contract with this partner? If so, read the contract carefully and make a copy for your work paper file;
–what requirements and rights regarding ethical compliance and anti-corruption are contained in the contract or (absent a contract) in any documentation you can obtain bearing on the exact relationship between the parties;
–does the contract include an audit clause;
–try to find out exactly who owns each listed business partner;
–as far as you can determine, has the partner disclosed to your client all the partner’s relevant third party relationships;
–have all the partner’s operating locations, foreign and domestic, been disclosed;
–does this partner have on-going litigation or governmental relationships that might create an adverse impression among the existing customers of your client or among external regulators?

Following the information gathering phase, the examiner should look for and resolve any apparent red flags involving individual and/or combined partners during the analysis and interpretation phases. Red flags can include limited information about one or more partners, inconsistent or contradictory data, and operations in politically charged locales, prior regulatory sanctions as well as connection to or ownership by politically exposed individuals. Look especially for involvement in non-domestic environments with uncertain economic or commercial requirements. The due diligence process involves fraud examiner/management evaluation of each of the key business partner risk factors identified. A table can be prepared of potential identified risks localized by partner and a remediation plan for management consideration of recommended steps management can take to address potential threats should be written.

Lastly, try to get client management to commit to performance of a formal approval process before engaging with any new, significant business partner and then for on-going review of existing partnerships as a component part of the annual Enterprise Risk Management (ERM) process.

FCPA Compliance Assessment as a Service for Fraud Examiners

Education2In today’s increasingly interconnected world, more and more companies involved in ever more business sectors are finding themselves employing a wider range of intermediaries and partners than they ever thought possible to manufacture, test, sell and market their products outside the U.S.  A small domestic start-up with a website and a few good products can find itself, almost overnight,  involved in an elevated level of interaction with foreign officials for approvals, permits, licenses and certifications.  Accompanying all this regulatory complication and unfamiliar interaction comes the heightened risk of becoming, wittingly or unwittingly,  involved in corruption.

As many of our Chapter members are aware from reading about recent, high profile cases like that of Wal-Mart Mexico, the U.S. Foreign Corruption Practices Act (FCPA) prohibits all U.S. companies, as well as their subsidiaries, from making or promising to make payments to foreign government officials.  The Act also requires companies to maintain accurate and reasonably detailed books and records pertaining to transactions and to dispositions of assets.  Assessing and reporting on our client’s FCPA compliance readiness is a real opportunity for fraud examiners since many company employed financial auditors (internal and external) lack adequate training to detect potential violations and few small or medium sized firms ever conduct standalone FCPA audits or risk assessments.

Fraud examiners can begin to address this need by making their clients doing overseas business aware that corporate lack of compliance with FCPA regulations  constitutes a substantial financial and reputational risk; since a lot of the work we currently do for companies is at the behest of corporate counsel, talking to counsel is often a good place to start.  Request permission to talk to the Chairman of the Audit Committee or to the CEO about adding some of  the following types of services to your annual fraud risk assessments:

–a broad risk assessment of the client’s current level of FCPA compliance targeted at identifying potential high risk areas featuring analysis of quantitative  and qualitative risk factors of all company businesses and international locations;

–assessing management’s FCPA knowledge and current compliance activities (if any); this service can be a very effective lead-in to the provision of management training since National ACFE can partner with you to provide both live and on-line management level instruction on this topic;

–testing existing company policies and procedures (both documented and simply cultural)  for FCPA awareness and effectiveness; this can be done by accumulating electronic data and conducting interviews with the staff overseeing international operations;

–advising management on the application of automated controls and proactive financial data anomaly detection tools to scan for patterns of irregular payments;

–testing transactions to determine whether FCPA controls are working as intended;

— reporting fraud assessment findings to compliance officers, audit committees and legal counsel in a format designed to enhance compliance and reward corrective action on identified FCPA related issues;

–driving FCPA policy and procedural changes using identified risks and gaps;

–training foreign employees about FCPA requirement compliance including on the red flags signaling possible compliance problems;

–sharing with client employees lessons learned from prior situations involving the FCPA.

The long term goal is to work toward making you,  the fraud examiner,  an equal partner  with the corporate compliance and legal functions on the FCPA compliance team; you can help clients design better policies and procedures, develop a more robust risk assessment framework and stronger controls and build your own practice while playing a vital role in the risk based approach to FCPA compliance.