FCPA Compliance and Ethics Blog

December 15, 2010

The FCPA Audit For Supply Chain Vendors

Filed under: Audit,FCPA,Supply Chain — tfoxlaw @ 6:10 pm
Tags: , , ,

An audit for adherence to Foreign Corrupt Practices Act (FCPA) compliance requirements is becoming more standard as a best practice in the management of business relationships with third party vendors which work with a company through the supply chain. In several recent settlements of enforcement actions through both Deferred Prosecution Agreements (e.g. Panalpina) and Non-Prosecution Agreements (e.g. RAE Systems Inc.), the Department of Justice (DOJ) has stated that one of the current best practices of a FCPA compliance program includes the right to conduct audits of the books and records of the agents, business partners and supplier or contractors to ensure compliance with the foregoing. Many companies have yet to begin their audit process for FCPA compliance on vendors in their supply chain. This posting will explore some of the issues involved in auditing such business partners. 

I.                   Right to Audit  

Initially it should be noted that a company must obtain the right to audit for FCPA compliance in its contract with any third party vendor in the supply chain. Such an audit right should be a part of a company’s standard terms and conditions. A sample clause could include language such as the following: 

Vendor shall permit, upon the request of and at the sole discretion of the Company, audits by independent auditors acceptable to Company, and agree that such auditors shall have full and unrestricted access to, and to conduct reviews of, all records related to the work performed for, or services or equipment provided to, Company, and to report any violation of any of the United States Foreign Corrupt Practices Act, UK Bribery Act or any other applicable laws and regulations, with respect to:

a.         the effectiveness of existing compliance programs and codes of conduct;

b.         the origin and legitimacy of any funds paid to Company;

c.         its books, records and accounts, or those of any of its subsidiaries, joint ventures or affiliates, related to work performed for, or services or equipment provided to, Company;

d.         all disbursements made for or on behalf of Company; and

e.         all funds received from Company in connection with work performed for, or services or equipment provided to, Company. 

II.                Structure of the Audit 

In the December 2010 issue of the Industrial Engineer Magazine, authors Aldowaisan and Ashkanai discussed the audit program utilized by the Kuwait National Petroleum Company for its supply chain vendors. Although the focus of these audits is not to review FCPA compliance, the referenced audits are designed to detect and report incidents of non-compliance, which would also be the goal of a FCPA compliance audit. Utilizing ISO 19011 as the basis to set the parameters of an audit, the authors define an audit as a “systematic, independent and documented process for obtaining audit t evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.” The authors list three factors, which they believe contribute to a successful audit: (1) an effective audit program which specifies all necessary activities for the audit; (2) having competent auditors in place; and (3) an organization that is committed to being audited. In a webinar hosted by Securities Docket, entitled, “Follow the Money: Using Technology to Find Fraud or Defend Financial Investigations” noted fraud examiner expert Tracy Coenen described the process as one to (1) capture the data; (2) analyze the data; and (3) report on the data. 

There is no one specific list of transactions or other items which should be audited. However some of the audit best practices would suggest the following: 

  • Review of contracts with supply chain vendors to confirm that the appropriate FCPA compliance terms and conditions are in place.
  • Determine that actual due diligence took place on the third party vendor.
  • Review FCPA compliance training program; both the substance of the program and attendance records.
  • Does the third party vendor have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained. Review any reports of compliance violations or issues that arose through anonymous reporting, hotline or any other reporting mechanism.
  • Does the third party vendor have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
  • Review employee expense reports for employees in high risk positions or high risk countries.
  • Testing for gifts, travel and entertainment which were provided to, or for, foreign governmental officials.
  • Review the overall structure of the third party vendor’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report? How is the third party vendor’s compliance program designed to identify risks and what has been the result of any so identified.
  • Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party vendor.
  • With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing. 

III.             Conclusion 

As noted the above list is not exhaustive. For instance, there could be an audit focus on internal controls or segregation of duties. Any organization which audits a business partner in its supply chain should consult with legal, audit, financial and supply chain professionals to determine the full scope of the audit and a thorough and complete work plan should be created based upon all these professional inputs. At the conclusion of an audit, an audit report should be issued. This audit report should detail incidents of non-compliance with the FCPA compliance program and recommendations for improvements. Any reported incidents of non-compliance should reference the basis of any incidents of non-compliance such as contractual clauses, legal requirement or company policies. 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2010

1 Comment »

  1. I have to admit that I’m not a fan of audit rights. Here’s my issue: audit rights become audit obligations, and no anti-corruption compliance person I know has the staff or even the bandwidth—much less the budget—to conduct audits of their supply chain vendors (not even to mention their customs agents, external sales agents, joint venture partners, or other, riskier, third parties). For larger companies, you’re talking hundreds, if not thousands, of third parties. And in far-flung places. Good luck getting an audit conducted in Kazakhstan. Or China. Or the Philippines. And if you do manage to get one done, good luck making it a repeatable process. Every year, you’d have to argue for increasing budgets for something that will only grow larger over time as you add third parties.

    And it’s 6/5 and pick ’em whether it’s worse to not have audit rights in your contract versus having those audit rights and not exercizing them. I can imagine that conversation with the DOJ,

    “do you have audit rights in your contract?”
    “But of course!”
    “Great, let me see the results of the last three audits you did.”

    Another problem, audit rights are tough to get. I don’t know of a large company that doesn’t push back when you ask for audit rights. And companies outside the US hate them even worse. Plus, if you ask, and the third party says no, you’ve just generated a red flag that should affect the risk rating of that vendor. So the contract negotiator has to be told that audit rights are non-negotiable, which will have an effect on the overall contract negotiation.

    A third problem: in my experience, companies outside the US, if you can get them to agree to audit provisions, are, shall we say, less than forthcoming with their data when push comes to shove.

    One potential answer—which makes the right more palatable—is to limit audits to where there’s a good reason to believe a violation has occurred. Of course, that’s more remedial than forward-looking. It doesn’t make it less likely that a problem will occur, it makes it so you can respond to the problem better.

    My suggestion is to limit audit rights to your absolutely highest-risk third parties in your riskiest locations. And then budget for those, and do them right, without fail. For other third parties, your audit right should only trigger if there’s a perceived issue.

    Essentially, everything needs to be tied to your risk assessment process for third parties. Riskier third parties get more attention, including potentially rights to audit them periodically. That’s just one part of an overall risk remediation, which should also include shorter contract terms, transaction monitoring, certifications, better termination rights, etc. Audit rights need to be looked at in terms of an overall risk-addressing process, as just one element of an umbrella program.

    Comment by Howard@OpenAir — December 16, 2010 @ 9:58 am | Reply

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: