Compliance & Internal Audit: Find your way through the FCPA
By Steve Biskie, CPA, CITP, CISA
The U.S. Foreign Corrupt Practices Act (FCPA) was implemented while disco still ruled the airwaves, but the Act – signed in 1977 and amended in 1988 – has steadily gained both media attention and greater scrutiny from global governments in the last several years.
In a nutshell, the FCPA makes it a crime for U.S. individuals and companies (including affiliates, subsidiaries and branches) to knowingly offer payment or promises of payment to foreign governments in order to secure business. These payments need not only be monetary, and include anything of value. In the early days of the Act, fines were small and enforcement was minimal. In the last 3-4 years, however, many countries around the world have developed their own regulations. At the same time, fines have increased dramatically and global governments are stepping up both investigations and prosecution.
Organizations found in breach of the FCPA risk criminal penalties, including corporate fines of up to $2 million per violation. Company officers, directors, stockholders and employees can face personal fines and imprisonment for up to five years. The U.S. Securities and Exchange Commission (SEC) can also impose civil actions against the firm or individuals within the firm, and revoke export licensing rights. Indictment alone can lead to suspension of the right to do business with the federal government.
FCPA regulations include both anti-bribery and accounting provisions. This means that companies must avoid unlawful payments and promises of payments, while also keeping books and records that accurately reflect corporate transactions. In every industry, organizations need to devise and maintain an adequate system of internal accounting controls. The anti-bribery provisions make the biggest headlines, but the accounting provisions are equally important, and the SEC can use those rules to prosecute wrongdoers.
FCPA in the news
In 2007, Baker Hughes (a Texas-based global provider of oil field products and services) pled guilty to three felony charges and was fined $44 million – the largest financial penalty in the history of the Act. An even bigger case emerged in 2008, when The SEC and German authorities handed Siemens AG a collective $1.6 billion fine. In addition to the obvious business cost of FCPA violations, firms charged by the SEC and international governments consistently see a significant drop in share value after the public announcement.
Among the most relevant FCPA news, however, is the increasing level of cooperation between U.S. and international governments and regulators. The American chemical company Innospec recently pleaded guilt to 18 fraud charges connected to overseas kickbacks and agreed to pay a total of $40.2 million in fines. The U.S. Justice Department, the SEC and the United Kingdom’s Serious Fraud Office worked together to monitor and charge the $600-million-dollar chemical company.
It’s interesting to note that companies that take swift action on internal issues and violations appear to fare better. Siemens initially faced multiple FCPA violations, corruption charges and initial fines estimated at just under $6 billion. After taking steps toward compliance and remediation, company executives were not charged with bribery and the fines were cut down to $1.6 billion.
The challenges of compliance
Today’s global business environment has created highly international, decentralized companies. Individuals often operate in remote countries where bribes and payoffs have historically been a routine part of conducting business. When language, culture, and traditions vary so widely, keeping close tabs on international operations can be extremely challenging.
From an audit perspective, FCPA regulations can shine a brighter light on business units that weren’t traditionally high-risk areas or countries that didn’t require significant scrutiny. Auditors often face massive data volumes that are difficult to monitor, while routine sampling techniques frequently overlook potentially problematic transactions.
Individuals may also intentionally circumvent organizational policies. For auditors, detection can be more difficult when employees or corporate agents aim to cover up irregular activities, versus accidentally violating FCPA regulations or failing to fully report transactions that could be considered suspicious. Auditors need tools to uncover anomalies that go beyond random sampling, conversations and observations.
Watching for red flags
Internal audit departments can play a critical role in FCPA compliance by implementing effective monitoring techniques to raise visibility around potential violations, and working with management to develop a culture of compliance, where employees know their activities will be evaluated. Data analytics provide 100% testing of all corporate transactions. It’s the most powerful way to validate the completeness and accuracy of books and records. Continuous monitoring can also help meet FCPA accounting provisions by repeatedly testing the effectiveness of internal controls, and highlighting specific transactions that appear suspicious.
When it comes to bribery provisions, data analysis solutions such as ACL AuditExchange can quickly identify – without manual intervention or sampling – red flags and provide an invaluable early warning system. Strategic data analytics can pinpoint:
- payments to risky vendors, including government contractors and parties on government watch lists
- payments made from out-of-country bank accounts
- use of new attorneys, accountants, consultants and other professions with no prior company relationship
- missing descriptions or suspicious payment keywords, such as “for services rendered,” “gifts,” or “facilitation”
- checks made out to “cash”
- payments classified as government expenses, made in cash, or written to an individual
Analytics can also uncover suspicious situations that may warrant further investigation, including:
- high cash transaction volumes
- payments sent outside the country of operation
- multiple gifts to a single individual
- entertainment of government customers
- bonuses of unusual quantity or timing
- attempts to circumvent transaction detection (e.g, payment splitting)
- charitable contributions to organizations affiliated with the government
Finding data indicators
While traditional audit techniques involve surveys, interviews and
manual sampling, data analytics can serve as an internal barometer and
offer a near-real time indication of potential issues across the
organization. The analytics quickly highlight exceptions and allow audit
staff to focus on more strategic FCPA activities. It’s easy for both
auditors and management to decide whether issues require further action,
investigation, or if internal training and policies need to be
reinforced.
Automated processes also demonstrate that a company is proactive. The
ACL AuditExchange platform, for example, provides detailed logs and a
clear audit trail. Leads can be tracked and exceptions quickly
investigated. And if an organization does need to disclose a problem or
work with regulators on FCPA issues, having a continuous monitoring
program in place could contribute to a more favorable outcome.
Get started to gain deeper assurance
No organization is immune from FCPA penalties if they are caught in
violation of the Act, so it’s critical to get started. Many analytics
can be quickly implemented, allowing you to gain valuable insight today
rather than tomorrow. The key is to identify potential problems and
address them – now – to better manage your unique risks. Red flags can
then be communicated and resolved as needed.
The impact of the FCPA has grown significantly in the last several
years. Even if it was not high on your audit radar before, it’s time to
re-examine your company’s compliance with this important set of
regulations. At the same time, instilling a culture of strategic
monitoring backed by effective controls can strengthen all your
compliance efforts. Studies from the Association of Certified Fraud
Examiners consistently reveal that internal fraud typically starts
small, and grows as people gain confidence. When companies are open and
visible with their monitoring practices and people believe there is a
chance that inappropriate actions might be questioned, fraudulent
activities drop dramatically.
Data analytics are simply the best way to look at all the transactions
flowing through your organization. While they can’t give you a clean
FCPA slate, automated analytics can provide considerable assurance and
free your time to focus on other significant aspects of the Act. Show
you’re taking the right steps, put solid processes in place and don’t
wait until you’re hit with a violation. Get started today.
__
Steve Biskie, CPA, CITP, CISA
Director of Services Product Management
ACL Services, Ltd.
Steve Biskie has over 15 years experience in information technology
audit for public accounting (as a former Deloitte manager), private
industry, and with specialized risk management consulting firms. His
role at ACL is focused on designing services that enable organizations
to achieve best practices in the use of audit analytics. Biskie is an
accomplished public speaker on the topics of audit, risks, and controls,
with a focus on technology. He is an IIA All-Star speaker and a much
in-demand thought leader and facilitator throughout industry events.
Click here to learn more about ACL solutions and read a case study
on regulatory compliance in action.
Contact Steve at steve_biskie at acl dot com.
The opinions, beliefs and viewpoints expressed by the various authors and forum participants on this web site do not necessarily reflect the opinions, beliefs and viewpoints of AuditNet®