Making FCPA Compliance Sustainable

Much has been written about the rising number of Foreign Corrupt Practices Act (FCPA) enforcements during the past couple of years and the impact it's having on the corporate compliance landscape. Many organizations already know that there is a pressing need to establish an FCPA compliance program to address this very real business risk.

Instead of focusing on the risk and the need to comply with the FCPA, organizations need to answer the question of how to make their compliance activities efficient, cost-effective, and sustainable.

One way to address this challenge is for organizations to turn to their internal control assessment experts -- internal audit -- to provide guidance on this business risk. Internal audit is uniquely positioned to help the business understand and navigate the risks of FCPA across the organization. Effective data analysis techniques used by internal audit departments raise visibility around potential violations and can help management focus attention on the right places.

A Technology-Enabled Strategy

It's a risky strategy to rely solely on whistle-blower hotlines or updated policies (which few read anyway) to address FCPA compliance. It is, after all, a matter of corrupt and unethical behavior to begin with. These sorts of practices are ones that by definition avoid following the rules and are “hidden” from open identification.

Organizations need to actively monitor their business transactions to ensure compliance with those policies. A technology-enabled strategy using audit analytics is a cornerstone of an effective and efficient FCPA compliance program. Audit analytics and continuous auditing can help internal auditors monitor FCPA-related internal controls to prevent and detect violations that could open the organization to broader repercussions.

While ERP and other business systems feature certain capabilities to prevent fraud and errors from occurring or to flag exceptions, most compliance professionals find that these systems are not sufficient to effectively trap the typical problem transactions that occur. Although they are excellent at collecting and processing data, they aren't all that good at getting data out to answer specific business questions, nor are they built to efficiently analyze and monitor transactions intended to mask specific activity.

Additionally, many internal controls are manual and cannot be controlled by an ERP system. Also, in many cases, certain control settings are turned off to increase processing efficiency. As is often the case with complex business dealings, you may also need to analyze data across multiple systems, including both ERP and legacy systems, which typically don't integrate well with one another.

That's where specialized audit analytics technology comes in. It allows organizations to look at every transaction instead of just a sample and, using both custom rules and fuzzy logic, flag those transactions that may require further investigation. Running independently from the various business systems, audit analytics can correlate the different data sets and identify indicators of non-compliance in the data.

Importantly, this also includes looking at the transactions that are subject to manual controls (i.e., matters of written policy) that are not controlled or monitored by an application.

Where to Start

In a word, prioritize. Focus on the highest risk areas, considering the people, processes and the technologies involved. That and take it one step at a time. There is no need to address all possible outcomes in one fell swoop. Your first steps need only be to implement a handful of properly deployed analytics to pinpoint areas where more analysis is required. Use what you learn to prioritize and take a targeted approach. Here's what that might look like:

1. Define the red flags and compliance questions that are most important to your FCPA compliance efforts. Namely identify:
• Payments made to high-risk vendors
• Payments to government contractors
2. Get the data you need to answer your questions. A great place to start is:
• Vendor data
• Payment data
• PEP (Politically Exposed Persons) list, OFAC (Office of Foreign Assets Control) list, etc.
3. Run analyses. Push results out to the right people. Automate the process.
4. Build from there with an iterative approach

As you take one step at a time, you will build on increasing success, momentum and credibility. As your business and external factors change, you -- and your technology -- need to be able to respond quickly and be easily adaptable.

FCPA compliance is not optional. The Securities and Exchange Commission (SEC) and Department of Justice (DOJ), have chosen to focus their attention on this legislation as a means of getting tough on illegal business practices.

Unfortunately by its nature alone, it is a difficult thing to monitor and detect without negatively affecting the speed of business and incurring extra costs. But organizations can leverage the knowledge, know-how and technologies that exist in their internal audit departments to improve their FCPA compliance activities and do so cost-effectively and sustainably. Audit analytics is also a powerful enabling technology and ally for organizations seeking to continuously monitor their high risk business processes to ensure compliance and stay out of the headlines for FCPA violations.

Peter Millar is the Director of Technology Application at ACL Services Ltd., a provider of financial monitoring software and expertise.