You’re sitting at your desk when you get a call. “This is Tom from the Department of Justice (DOJ), we have reason to believe your company may be out of FCPA compliance. We are sending in auditors to assess the situation.”
What do you do?
Are you overcome with panic? Or do you calmly call in your team and start getting your records ready for the review?
When major headlines include details of the latest enforcement actions issued by the DOJ for cases relating to violations of the Foreign Corrupt Practices Act (FCPA), you can bet that every Chief Financial Officer, Controller, and Chief Compliance Officer is reading every word. While these news alerts may leave some executives feeling anxious and unable to sleep, those who are confident about their existing FCPA compliance programs are calm and well-rested.
Part Two of this Four-part series
In this post, we look at two key(s) to FCPA compliance and what you can do to mitigate the risk of an FCPA violation with the help of technology. But first let’s look at where the risks for noncompliance lie.
Travel and expense is a top mechanism for FCPA violations
“T&E is the key mechanism by which FCPA violations can occur.” -Todd Marlin, principal at Ernst & Young(1)
Could bribery and corruption be hiding in your expense reports?
Areas of concern for potential FCPA violations include expenses for meetings and conventions, entertainment expenses for international travel, meal, and auto expenses. These areas are common ways bribery can happen. Employees pay for entertainment or gifts in exchange for favor and hide it in the expense reports. You must have training and controls in place to block these potential violations.
In 2015, the Securities and Exchange Commission (SEC) charged BHP Billiton with violating FCPA compliance for taking foreign government officials to the Summer Olympic Games. The company took 60 government officials and spouses to the games including travel and meals while some officials had ties to pending contracts and regulatory decisions involving the company. The company did not have proper controls in place around the invite application process. BHP Billiton paid $25 million to settle the charges. (2)
When auditing thousands of employee expense reports each month, quarter, or year, the most traditional approach is to look at a sample of transactions, from a pre-determined population, over a specified period. So, when the sample selection process does not uncover any transactions with visible issues or signs of non-compliant behavior, does that mean you’re not at risk?
Nope. It just means you didn’t uncover any issues in your selected sample. A serious violation could be lurking in the data you did not review, and your company is still on the hook if there is.
How effective is your FCPA compliance program?
What are the key elements that should be addressed to protect the company against FCPA violation charges? The DOJ describes the following attributes to be the “Hallmarks of Effective Compliance Programs.”
- Commitment from Senior Management and a Clearly Articulated Policy Against Corruption
- Code of Conduct and Compliance Policies and Procedures
- Oversight, Autonomy, and Resources
- Risk Assessment
- Training and Continuing Advice
- Incentives and Disciplinary Measures
- Third-Party Due Diligence and Payments
- Confidential Reporting and Internal Investigation
- Continuous Improvement: Periodic Testing and Review
- Mergers and Acquisitions: Pre-Acquisition Due Diligence and Post-Acquisition Integration
- Analysis, and Remediation of Misconduct (3)
Does your FCPA compliance program measure up?
An FCPA Prevention, Detection and Response Plan
When considering enforcement actions for FCPA violations, the DOJ will assess the following:
- “What did you do to prevent it?
- “What did you do to detect it?
- “What did you do when you found out about it?”
The only way to ensure you are prepared to answer these questions is to incorporate FCPA compliance technology with your FCPA compliance program. An FCPA compliance software solution can provide the two key elements needed for FCPA compliance: continuous monitoring and ongoing documentation of compliance efforts. (4)
FCPA Compliance Key 1: Continuous Monitoring
When the Sarbanes-Oxley Act (SOX) was first implemented new teams were created within organizations to properly document existing controls process, identify any gaps, and make the necessary changes. We were all trying to figure out what a key control was versus a non-key control, and at the end of the day, determine who was responsible for testing/reviewing/signing off on all these controls. The concept of continuous monitoring for FCPA compliance wasn’t new, but SOX formalized it and made it a requirement. Getting all controls up to par with the new requirement was daunting, but overall, the impact has been positive.
To ensure their understanding of the company’s policies and procedures, most employees must read and sign a “Code of Conduct” every year. Most companies also provide annual compliance training and offer a hotline to confidentially report any problems or issues. But what many companies are still lacking is a continuous monitoring solution to measure FCPA compliance program performance. The companies who have implemented such programs can attest to how powerful (and necessary) a continuous monitoring system is for their programs.
There are three ways that continuous monitoring contributes to overall risk management and compliance initiatives:
- Lowers audit costs by eliminating manual sampling.
- Improves financial governance by increasing the reliability of transactional controls and the effectiveness of anti-corruption controls.
- Enhances operational performance by monitoring key financial processes. (5)
Continuous controls monitoring can also be a source of record to verify an employee’s pre-employment background check, the quality of the FCPA compliance training an employee receives after hire, and to review and record an employee’s annual acknowledgement of FCPA compliance. Ongoing monitoring allows greater visibility to track employee spending, third-party disbursement, or other sources of monetary financing that could be used to pay a bribe and therefore violate the FCPA.
FCPA Compliance Key 2: Ongoing Documentation
“If you don’t document it, you cannot measure it, and if you cannot measure it, you cannot refine it.”
- William Athanas
In “Demonstrating ‘Systemic Success’ in FCPA Compliance: Identifying and Maintaining Evidence to Respond to Government Investigations…Before They Begin,” William Athanas explains how documentation provides the supporting evidence needed to prove the compliance measures were taken to mitigate the risk of FCPA non-compliance. He asserts if a program does not document its processes, there is no evidence that it has succeeded.
Being the only way to gauge the overall effectiveness of any compliance program, the existence of on-going documentation is often a primary factor leading to a decision of not to prosecute by the Department of Justice (DOJ). (6)
FCPA compliance documentation can eliminate a visit from the DOJ
How can you make sure that your risk, compliance, and audit departments are properly monitoring T&E expenses and reimbursements when it comes to global bribery laws and FCPA compliance?
Are you ready for a visit from the DOJ? Which leader would you be if you got that call?
If T&E expenses are carefully and systematically monitored for potential bribery or corruption, and there is sufficient, readily available documentation to prove it, then you should have no worries. Your records provide you with a defensible audit trail allowing you to demonstrate that you have the proper controls in place to mitigate risk.
If you haven’t already done so, your key objective should be to implement an FCPA compliance technology solution that increases efficiency, reduces manual efforts, and decreases the chance of risk and loss for the business. Technology provides you with the keys you need for an effective FCPA compliance monitoring program – continuous monitoring and documentation. By leveraging technology, organizations can establish a record of evidence and therefore become proactive in the prevention of (FCPA) violations. (7)
Oversight offers an FCPA compliance technology solution that addresses the DOJ’s guidelines for FCPA compliance monitoring, communication with employees, compliance evidence, and audit trails. Using artificial intelligence, Oversight continuously monitors 100% of T&E transactions for any red flags.
Using a library of FCPA analytics, the solution takes a risk-based approach to analyze transactions for possible misconduct, and with built-in workflows, any actions taken to review or resolve potential FCPA violations are recorded automatically and retained indefinitely. Learn more.
(3) https://www.justice.gov/criminal-fraud/file/1292051/download(pages 58-68)