January 18, 2011
On January 11, 2011, Tom Fox (see the Blog post below) was kind enough to post the “13 Step FCPA Compliance Action Plan” that I cobbled together. Since that time I have received many calls and e-mails for more information, so I decided to post it for others to consider using in practice. My goal is to continuously tweak the plan. Your suggestions and comments are always welcome.
13 Step FCPA Compliance Action Plan
Note: The draft guidance is not prescriptive and does not detail specific anti-bribery measures, but instead adopts a principles-based approach, which is intended to be used as a guide by a company when implementing their own anti-bribery compliance programs.
The audit committee is responsible for overseeing the financial reporting process and controls, the internal audit function, and the external auditors, including the appointment of the company’s external auditor. It oversees management’s implementation of policies that are intended to foster an ethical environment and mitigate financial reporting risks. In this process, the audit committee has the responsibility to see that management designs, documents, and operates effective controls to reduce the risk of financial reporting fraud to an acceptable level. The Sarbanes-Oxley Act also makes the audit committee responsible for establishing mechanisms for the receipt, retention, and treatment of complaints received by the company regarding accounting, internal accounting controls, or audit matters, and confidential, anonymous submissions by employees of concerns regarding questionable accounting and auditing matters (generally referred to as the ethics or whistleblower program).
In addition, it is increasingly common for the audit committee to have a link with the compensation committee through overlapping members, joint meetings, or attendance of the audit committee chair at certain compensation committee meetings. The objective of this process is to satisfy both committees that the executive compensation structure provides sound incentives for achieving corporate strategies without unintentionally providing motivations for fraud or other unethical behavior. The focus on compensation structures will likely increase as a result of legislation and regulatory rules regarding corporate compensation policies and practices.
Source: Center for Audit Quality Anti-Fraud Report: Deterring and Detecting Financial Reporting Fraud: A Platform for Action
1. Top level commitment – “Tone from The Top”
- Top-level management (usually the board of directors and senior executives) must establish a culture within their company in which bribery is unacceptable. They also should ensure that the company’s policy to operate without bribery is effectively communicated throughout the company. The draft guidance provides examples of what top-level commitment should include:
- a “zero tolerance policy” toward bribery in all parts of the company’s operation;
- clear explanation of the consequences that employees and business partners will suffer if they violate the corporate policy;
- personal involvement in the development of a code of conduct, or ensuring the publication and communication of anti-bribery measures to all employees, subsidiaries and business partners; and,
- appointing a senior manager to oversee the development of an effective anti-bribery program.
“Top level commitment” is another commonly identified element of an effective compliance program. This principle, as articulated in the draft guidance, appears to combine the requirement of a strong “tone at the top,” noted by almost every respected guide on compliance programs from the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) to the US Department of Justice, and the need for a clear, firm anti-bribery policy—a principle also widely endorsed in the compliance literature and by governmental organizations.
2. Corruption and Bribery Risk Assessment
The OECD Good Practice states that a compliance program should be developed on the basis of a risk assessment
- Conduct a comprehensive review of the company and assess the potential bribery and corruption risks associated with its products and services, customers, third-party business partners and geographic locations where it operates.
- The risk assessment can serve as the documented rationale for the compliance program.
- Businesses must be aware of the current bribery risks they face in the sectors and markets in which they operate. The proper nature of any risk assessment procedures will depend on the size of the company, as well as its activities, customers and markets. But company’s are generally advised to consider the following:
- Whether those performing the risk assessment are “adequately skilled“; and,
- What data sources should inform the risk assessment. The draft guidance suggests the use of internal data (annual audit reports, internal investigation reports, focus groups and staff, client or customer complaints) and external data (analyzing publicly available information on bribery issues in particular sectors or jurisdictions).
For multinational corporations already subject to the US Foreign Corrupt Practices Act (“FCPA”) and other anti-bribery enforcement regimes, this requirement should be no surprise. Section 8B2.1 of the US Sentencing Guidelines for Organizations already list periodic risk assessments as a component of an effective compliance program. And the OECD’s Working Group on Bribery in International Business Transactions issued guidance in November 2009 that similarly advised risk assessments as a good practice for companies. Regardless of official guidance, no company can properly design a compliance program without identifying and understanding the risks it wishes to guard against.
3. Internal Controls
- Most companies struggle with implementing mitigating controls to support their internal anti-bribery and anti-corruption policies.
- Develop, document and maintain a system of internal financial controls to ensure that all payments are accurately recorded in the company’s books and records in accordance with applicable regulatory requirements.
- Special attention should be paid to those areas that may directly affect the anti-bribery and corruption compliance program such as procurement, on-boarding of vendors, agents, consultants, and other third-party business payees.
- Gifts and entertainment controls. Managing the offering and receiving of corporate gifts, entertainment and travel has become increasingly important in today’s environment of increasing regulatory oversight. Gifts given with the best of intention can be incorrectly perceived and lead to millions of dollars in government fines, as well as loss of potential business.
4. Structuring and Defining Roles & Responsibilities
- Anti-corruption director (See Daimler)
- Chief Compliance Officer or Other Senior Corporate Official
- The assignment of responsibility to one or more senior corporate officials of implementation (see discussion within), oversight of compliance with policies, standards and procedures FCPA and other applicable anti-corruption official (the authority to report matters directly to the Board.
- Understanding the US Sentencing Guidelines changes that became effective on November 1, 2010, and included a change related to the Direct Report. The amendment changed the reporting structure in companies where the Chief Compliance Officer (CCO) reports to the General Counsel (GC) rather than a committee on the Board of Directors. The change reads “the individual…with operational responsibility for the compliance and ethics program…have direct reporting obligations to the governing authority or any appropriate subgroup… (e.g. an audit committee or the board of directors)”. If a company has the CCO reporting to the GC, who then reports to the Board, such structure may not qualify as an effective compliance and ethics program under the amended Sentencing Guidelines. The better practice would now appear to be that the CCO should be a direct report to the Board or appropriate subcommittee of the Board such as compliance or audit.
5. Risk-based Third Party Due Diligence
- Develop and document an investigative due diligence protocol that will assess the potential bribery and corruption risks associated with third parties such as vendors, consultants, suppliers, agents and joint venture partners.
- The nature and extent of the investigative due diligence should be based on the third party’s risk profile.
- The protocol should set forth the remedial steps that may be taken for those parties that represent an elevated risk of bribery and corruption, including, but not limited to escalated due diligence or the termination of the relationship.
- Types or Levels of Due diligence
- Basic: simple database checks
- Medium: more in-depth review
- High: reputation checks, site visits, forensic review of financial statements, and investigative procedures outside the US
6. Clear, Practical, Current, And Accessible Policies And Procedures
- There should be a clearly articulated policy against bribery and corruption that enforces a tone of compliance from the board and management.
- Procedures and processes that clearly set forth permitted and prohibited conduct, supervisory and compliance approvals for certain conduct and documentation of such approvals.
7. Documenting a Detailed Multi-year Compliance Plan
- Companies must embed anti-bribery policies and procedures throughout the business. “Paper compliance” is insufficient. Companies should consider establishing an implementation strategy detailing the rollout of these policies and procedures:
- Who bears responsibility for program implementation;
- How to communicate the policies and procedures internally and externally;
- The content and nature of anti-bribery training and how to roll it out effectively;
- How senior management will monitor the program’s implementation;
- Whether and how the company will use external assurance processes;
- The processes for monitoring compliance;
- The implementation timetable;
- An explicit statement of penalties for violating relevant anti-bribery policies and procedures;
- The date of the program’s next review; and
- A decision on whether to require or suggest that business partners take part in anti-corruption training courses.
Warning! “Paper Compliance” is insufficient echoes warnings issued numerous times by US enforcement officials. Indeed, US Deputy Attorney General Mark Filip’s famous 2008 memorandum on prosecuting business organizations explicitly cautions that a mere “paper program,” lacking the necessary design, implementation, and review, will not protect a company from prosecution.
8. Appropriate Disciplinary Procedures To Address Violations
- Appropriate disciplinary procedures to address, among other things, violations of FCPA, UK Bribery Act, and other applicable anti-corruption laws or compliance code by directors, agents and business partners.
9. Ensuring Robust Monitoring and Review (Utilizing Internal Audit)
- Develop and document processes and/or controls to periodically assess the effectiveness of the compliance program and potential vulnerabilities and monitor for employee compliance.
- Such processes may include periodic testing and validation, review of available metrics and design of self-assessment forms and exercises.
- Develop training materials that clearly and concisely interpret applicable legal, regulatory, policy and procedural requirements as well as the possible ramifications associated with non-compliance. The training materials should be reviewed periodically to ensure their continued adequacy.
- Training should be provided regularly to senior management and key compliance and business personnel.
11. An Effective System for Reporting Suspected Criminal Conduct and/or Violations of the Applicable Anticorruption Laws for Directors, Employees, Agents and Business Partners.
- Develop and maintain a system for receiving complaints containing allegations of bribery and corruption as well as a system to investigate such allegations and document the actions taken with respect to such complaints and investigations.
12. Other Risk Mitigation Procedures
- Standard provisions in contracts and agreements that include at a minimum:
- Anti-corruption representations and undertakings relating to compliance with FCPA, UK Bribery Act and other applicable anti-corruption laws;
- Rights to conduct audits of the books and records; and
- Rights to terminate as a result of any violation of anti-corruption laws, and regulations or representations and undertakings related to such matters.
13. Annual Testing of The Compliance Program
- The US Sentencing Guidelines state that there should be periodic reviews of a company’s compliance program, utilizing internal resources, such as a company’s Internal Audit function, and outside professional consultants. (emphasis added)
- The OECD Good Practice states that a compliance program should be developed on the basis of a risk assessment addressing the individual circumstances of a company, in particular the foreign bribery risks facing the company (such as its geographical and industrial sector of operation). Such circumstances and risks should be regularly monitored, re-assessed, and adapted as necessary to ensure the continued effectiveness of the company’s internal controls, ethics, and compliance program or measures.
- The UK Bribery Act Consultative Guidance, recently released by the UK Ministry of Justice, requires ongoing risk review, monitoring, and review by noting that a compliance program and procedures should be reviewed regularly and encourages senior management of higher risk and larger companies to consider external verification or assurance of the effectiveness of anti-bribery policies.
In a recent speech, Assistant Attorney General for the Criminal Division of the US Department of Justice, Lanny Breuer, indicated that such an external verification or assurance of the effectiveness of a compliance program is a key component to assist a company in maintaining a ‘best practices’ FCPA compliance program. He noted that it is through a mechanism such as an ongoing assessment that company could continue to evaluate its own compliance program with reference to compliance standards, which are evolving. Breuer has advocated an annual compliance program assessment by each company and I do as well.
Higher risk and larger companies should consider external verification or assurance of the effectiveness of anti-bribery policies.
January 11, 2011
Blog Post by: Tom Fox
Tags: Crowe Horwarth, FCPA, Jonathan Marks, linkedin
Back in December 2010, we noticed a tweet by Jonathan Marks where he mentioned that he had developed a 13-step action plan for Foreign Corrupt Practices Act (FCPA) compliance programs. We were certainly intrigued by this information but, alas, there was no link to the document or information, so we took the direct approach and DM’d Jonathan to ask if he would be willing to share with us the 13-step action plan, which he was willing to do. So today’s blog will begin with a reminder of the incredible tools that are available to the FCPA compliance practitioner through today’s internet.
I met Jonathan (virtually) through LinkedIn and his hosting of the LinkedIn group ‘Fraud Pentagon.’ Through his profile I was able to discover Jonathan’s interesting professional journey, he is the Partner In-Charge of the Fraud, Ethics and Anti-Corruption practice at Crowe Horwathand has worked with the US Attorney’s office, the FBI, the IRS Criminal Investigation Division and US Customs officials during his career. Jonathan has also served as the Chief Audit Executive at several public companies and is a Certified Public Accountant, Certified Fraud Examiner and is certified in financial forensics.
I spoke to Jonathan to find out how he developed this plan and he told us that from his meetings with clients on the issue of compliance over the years, he wanted to develop a non-legalistic approach that he could easily convey to clients. So he studied the available literature, talked to others in the compliance arena and sought counsel from US government agencies tasked with enforcing the FCPA to come up with a framework by which a company could review its FCPA compliance program, assess where the program is in terms of best practices, and then use the same action plan as a guide for implementing some or all of the best practices.
Jonathan’s 13-step action plan includes the following:
1. Assisting in obtaining top-level commitment from boards and senior executives, setting the “tone from the top”
2. Executing a Corruption and Bribery Risk assessment that drives the compliance program and modifies it accordingly
3. Improving/Strengthening Internal Controls
4. Structuring and Defining Roles & Responsibilities
5. Performing Risk-based Third Party Due Diligence
6. Developing Clear, Practical, Current and Accessible Policies and Procedures
7. Documenting a Detailed Multi-year Compliance Plan
8. Defining Appropriate Disciplinary Procedures
9. Ensuring Robust Monitoring and Review (Utilizing Internal Audit)
10. On-going Training
11. Violation Reporting System is in Place and Multi-lingual
12. Reviewing Ancillary Risk Mitigation Procedures
13. Performing Independent Compliance Program Testing Annually
During our phone conversation, Jonathan indicated that while his 13-step action plan was designed with the FCPA in mind, it is also a solid basis for any company to use when reviewing, creating or implementing an “adequate procedures” program under the UK Bribery Act. Jonathan also shared with us some of the literature and references he had used to put his 13-step action plan together. These included the US Sentencing Guidelines, the OECD Good Practices, blog postings and articles discussing best practices and information he had gleaned from attending seminars and conferences. We applaud Jonathan for developing his action plan and making it available for discussion in our blog. We hope that it can be of assistance to the FCPA compliance practitioner.
We also want to take this opportunity to emphasize the wealth of material which is available, at no charge, to the FCPA compliance practitioner. The genesis of this posting came through Twitter, which has an active group of FCPA compliance and ethics professions tweeting throughout the day. We have also been able to obtain a large amount of helpful material through joining only a portion of the LinkedIn groups which discuss issues related to the FCPA compliance practitioner; which include: FCPA – Foreign Corrupt Practices Act – Anti-Corruption Compliance Group; Society of Corporate Compliance and Ethics (SCCE); Dow Jones Risk & Compliance; Anti-Corruption Professionals; AML, FCPA, and Investigative Due Diligence Thought Leadership; The Forum for Chief Compliance Officers and Chief Risk Officers and Anti-Corruption Compliance Asia. This list is by no means complete but is a small sample of what is available to you and sometimes you are able to meet like-minded professionals such as Jonathan Marks.
Jonathan Marks can be reached via email at firstname.lastname@example.org and phone at 267-261-4947.
© Copyright 2011 Jonathan Marks, CPA/CFF, CFE @jtmarkscpa