An audit of compliance with Foreign Corrupt Practices Act policies is no easy task. It requires skilled personnel, sophisticated data analytics, and an understanding of the difference between an audit and investigation.
It is also something a compliance program needs to get right. A good FCPA audit can mean the difference between a bribery risk caught and defused early, or one that spirals out of your hands and into those of the Justice Department or Securities and Exchange Commission; just ask Alstom or Avon.
When oil services giant Baker Hughes conducts an FCPA audit, for example, the purpose is “to identify key points of government interaction and try to make sure we have visibility into those points of interaction,” Marianne Ibrahim, senior counsel of audits and investigations for Baker Hughes, said during a recent Compliance Week Webcast.
Before performing an FCPA audit, assemble the right team. You’ll need a combination of an internal audit expert who can test the adequacy of financial controls against reporting processes, and a compliance expert who can properly assess sensitive transactions: gifts, travel, or entertainment expenses, for example. A forensic accounting expert or someone on the legal team with investigative skills is also useful. An FCPA audit conducted outside the United States should further include a local accounting team in that country to assess other potential areas that may need to be audited, she said.
The key, Ibrahim said during the webcast, is to have that talent in-house. “If you have outside counsel or external auditors conducting audits for you, you’re doing yourself a disservice if you don’t have someone internally accompanying them on the audit and informing them of the intricacies of your business and where those risks lie,” she said.
“If you have outside counsel or external auditors conducting audits for you, you’re doing yourself a disservice if you don’t have someone internally accompanying them on the audit and informing them of the intricacies of your business and where those risks lie.”
Marianne Ibrahim, Senior Counsel, Baker Hughes
FCPA audits come in many different forms, including audits of internal business units; audits of third parties and business partners; and pre- and post-acquisition due diligence reviews concerning a merger or acquisition. That means, as always, starting with a risk-based approach to narrow the scope of the audit to those issues needing the most attention. Maybe you want to focus on a particular high-risk geography, for example, or a high-risk third party, or a combination of both.
“If you can gain focus through a risk assessment to tell you where your highest risks are, it becomes much easier to put a plan in place and budget around that plan,” says Bill Pollard, a partner in Deloitte’s FCPA consulting practice.
Enter the Analytics
For most multi-national companies, the sheer volume of transactions, product lines, markets, and people to monitor will require at least some data analytics. That can prove daunting, especially if a company has multiple business software systems tracking the same types of data in various formats. Data analysis software tools let auditor, accountants, and compliance professionals import large amounts of data and pull it all into a single, manageable platform.
“It would be hard to accumulate all of this information in one place without data analysis software, especially when you’re dealing with large volumes of transactions,” says Jill Davies of Audimation Services, a vendor of such software.
Audit teams can then sort the data to identify relationships, patterns, anomalies, and the like. “More companies are taking a data analysis approach to their FCPA audits and vendor audits, in general, than ever before, simply because they have so much information to sort through and match up,” Davies says.
Rather than studying random samples of data, focus on transactions that have multiple red flags associated with them to get better results. “Those are the ones you want to look at from an audit perspective,” Pollard says.
For example, in the case of a third-party audit, you may want to narrow transactions down to third parties in high-risk countries; or third parties whose transactions come up on a critical key word search; or third parties whose payments are being routed to a different country than where they’re located.
“You can have oversight of all these different transactions that could signal an FCPA problem,” Davies says. “You can then create a scorecard, ranking them by which ones hit the most high-risk areas.”
The following information from the CW Webcast provides details on the how to conduct an FCPA audit.
Identify Points of Government Interaction
Customs and Duties
Corporate Taxes and Penalties
Visas and Work Permits
Public Official Gifts and Entertainment
Training of Government-Owned Entities
Business Licenses and Permits
Customs Agents and Freight Forwarders
Commercial Sales Agents
Consultants and “Channel Partners”
Start 4 to 6 weeks in advance
Perform audit with legal counsel’s lead
Establish key business contacts; discuss audit privileges and processes
Prepare initial document request list for financial information queries
Review findings from previous audits
Review details of opened and closed internal investigations and Code of Conduct questionnaires
Research-related DoJ and SEC enforcements
Source: Webcast Slides.
Data analytics also helps with FCPA audits by keeping logs and files that cannot be altered along the way. “If the company does come under investigation and you have to build evidence, the software records and documents what you did from start to finish so you can show the trail of logic, how you performed each test, and the criteria that was used,” Davies says. “From a legal perspective, you can build your evidence with more certainty.”
To further refine the scope of an FCPA audit, internal audit teams may also want to review the following materials:
Code of Conduct questionnaires;
The findings of earlier audits;
The details of both opened and closed internal investigations; and
Any enforcement actions brought by the Justice Department and Securities and Exchange Commission.
By reviewing these additional materials, the audit team can gain a better understanding of what particular issues it may want to focus on most, Ibrahim said.
Audits of Third Parties
FCPA audits of third parties can prove particularly difficult when trying to get your hands on data that you really want. “Part of the objective of an FCPA audit is to make sure your third parties are billing or invoicing the company for payments that comply with its policies and procedures and Code of Conduct,” says Manny Alas, PwC's Global FCPA Leader.
When Baker Hughes interviews its third parties, “we want to make sure they understand our policies and procedures and are abiding by them,” Ibrahim said. For example, third parties are tested on whether they understand the difference between a facilitation payment and an extortion payment, or what payments Baker Hughes does and does not allow, “so that they can properly identify and report such matters when they do arise,” she said.
No matter the objective of a third-party audit, access to books and records is crucial. “People don’t pay bribes with their own money; in some way, shape, or form, company assets are used,” Pollard says. “Those payments are going to materialize in the books and records.”
For third parties that refuse to open their books and records, audit teams have a few ways to apply pressure. For example, if that third party manages your data along with competitors’ information, you can ask to see only the transactions that involve your company, or request to see only screenshots of the relevant information.
Interviews are another important component of a thorough FCPA audit—although interviews for an FCPA audit are different than those for an investigation, and the skill sets do differ. FCPA audits seek to determine whether people have a proper understanding of the company’s internal controls and processes; that means the interviewer should be someone who is approachable, sensitive to cultural matters, and has great communication skills.
“The focus is really to create dialogue,” Ibrahim said. Some companies even refuse to call them “interviews” at all, and refer to them as “discussions.”
Interviews conducted in FCPA investigation, on the other hand, aren’t so much conversational as they are exploratory in nature, and “typically are performed under the protection of attorney work-product privilege,” Alas says.
FCPA investigations concern specific allegations of improper conduct, so choosing someone with skills in behavioral analysis to conduct the interviews is helpful. The interviewer should have the ability to “not only read people, but understand and assess the truthfulness of the individual,” Pollard says.