As follow-on to my last Process Points posting, this blog considers the same premise when it comes to the FCPA.
Complying with the requirements of the Foreign Corrupt Practices Act (FCPA) is not an easy task. And while FCPA compliance can be one of those “out of sight, out of mind” tasks, you might want to be sure your organization understands how FCPA might apply.
Why? Well, it seems that FCPA enforcement activity by the U.S. Department of Justice and the SEC has surged recently. Around the globe, other countries also appear to be stepping up how they address issues of corruption. (See "Ungreasing the Wheels" in The Economist.)
And if any of these authorities determines that you are in violation of FCPA regulations or their country's laws, those violations can lead to hefty fines, prison time, and other fallout (e.g., negative publicity) that most corporations or individuals don't want!
A quick refresher: The FCPA makes it illegal for a U.S. issuer, domestic concern, or certain foreign issuers of securities to directly or indirectly bribe foreign government officials through payments or gifts of any value to obtain or retain business or to secure an improper business advantage. In addition, the FCPA also requires organizations to keep books and records that accurately reflect all transactions and to maintain adequate internal accounting controls.
Companies often struggle with several aspects of FCPA compliance such as understanding FCPA requirements and obligations, and creating, implementing and enforcing policies and procedures related to FCPA controls. Not only are these aspects a challenge, but so are the expensive and detailed investigations that must take place once possible FCPA violations are surfaced.
So what should you do to address effective FCPA compliance management?
First, you should conduct a FCPA risk assessment. Are you doing business in a foreign country that involves significant interactions with their government? Is that foreign government a direct customer?
Do you have a strong FCPA compliance policy? Is it well communicated and understood? Do you have someone responsible for FCPA compliance with enough “power” to make key people in the organization address FCPA issues?
Do you have strong internal controls that consider FCPA requirements? Do you properly maintain accounting books and records for all operations â€“ domestic and foreign? Are complete records maintained for later audit purposes?
Are foreign transactions approved by authorized personnel? Do your foreign employees understand the importance of FCPA compliance?
Are you able to verify foreign public officials and related parties, other individuals, or foreign businesses and entities that might be linked to corruption or other crimes?
Do you have a case management system to handle FCPA investigations?
Managing FCPA Compliance
How well the FCPA compliance process is managed is a critical part of an organization's internal controls. The CFO or controller of a multinational company has to be comfortable that their organization is handling it well in order to sleep at night. The issues and considerations surrounding effective FCPA compliance management are not that different from the issues encountered in managing any process.
Is your organization using a patchwork system to manage the FCPA process? Are spreadsheets used to monitor the FCPA process? Are e-mails used to communicate approvals and authorities? Is FCPA documentation stored in binders, file drawers, individual PCs, and on shared drives? How do you know that all steps in your FCPA compliance program are completed and approved? How easy is it to retrieve supporting documentation for review by auditors?
Continuous Monitoring and FCPA
It is good practice to establish some continuous monitoring activities that will examine things like payments to certain “risky” vendors (including parties identified on government “watch lists”) or trends in the frequency or dollar level of payments. Continuous monitoring processes can be used to detect exceptions that may be immaterial on their own, but if they are viewed as a whole, they may result in a FCPA violation.
Managing and monitoring the FCPA compliance process should be structured to provide a tracking system for exceptions, provide an audit trail to facilitate investigation and documentation, maintain a history of the handling of exceptions, and facilitate both internal and external audits of possible FCPA violations. Such activities can provide the organization (and their auditors) with higher degrees of confidence in their FCPA control processes and help reduce the risk of violations while saving time and money in any FCPA audit process.
There are software solutions available that provide easy-to-use tools, including workflow automation, for managing the FCPA process. The benefits of implementing these tools include increased productivity, reduced risk and audit costs, improved FCPA compliance and integrity, and accelerated and less costly audits. Continuous monitoring solutions are available from vendors such as Oversight Systems, ACL, and Approva. Automated management solutions are available from third-party vendors, including Compliancy Software, Sentinet, Attus Technology, and Compliance Track. ###