FCPA Compliance and Ethics Blog

March 28, 2011

FCPA Lessons Learned-Failures in Internal Controls

We often write and speak on some of the lesson learned from enforcement actions brought by the Department of Justice (DOJ) under the Foreign Corrupt Practices Act (FCPA). We believe that companies can not only learn from the mistakes of others in implementing or enhancing their compliance program but can glean information on the DOJ’s current thinking on the best practices for a compliance program.

In a recent white paper, entitled, “Staying out of the Headlines: Strategies to Combat Corruption Risk” jointly produced by the consulting firm of Protiviti and the law firm of Covington and Burling, the authors reviewed 286 FCPA cases and analyzed the internal control weaknesses which led to FCPA enforcement actions. From this review, the authors derived a Top Five of Control Weaknesses. This article will review these findings and the authors’ guidance on how a company might use this information to assist it to enhance its FCPA compliance program.

1. Inadequate Contract Pricing Review

The authors found that in 110 cases they reviewed, the internal controls were insufficient to confirm whether contract pricing was artificially inflated or otherwise altered. This enhanced the risk that a foreign business representative could inflate the price of goods and either keep the spread or use it to bribe a foreign governmental official. The types of internal controls weaknesses noted by the authors included:

  • Inflated contract prices were used to generate and conceal kickbacks.
  • Commissions were disguised as legitimate business expenses.
  • Unwarranted additional fees were added to contract prices.

To remedy this contract pricing issue, the authors recommended that companies review their procurement policies from a FCPA compliance perspective. Companies should also engage in a competitive bidding process for purchases from third parties. Lastly invoices from third parties should provide sufficient detail to support the goods or services provided and back up for all expenses.

2. Inadequate Due Diligence and Verification of Foreign Business Representative

It is well known that companies are responsible for the actions of their business representatives and that this is a large source of FCPA exposure. Based upon their review, the authors found several examples of weaknesses in internal controls which led to FCPA enforcement actions. These weaknesses included:

  • Monthly payments made to foreign business representatives where no written contract was in place.
  • Contracts with foreign business representatives with prior histories of improper payments.
  • Lack of vigorous due diligence based upon a valid risk analysis.

While noting the difficulties in the area of foreign business relationships, the authors proffer several steps to help ameliorate the risk. These steps include (1) a risk assessment and ranking of requisite due diligence based on this assessment; (2) collection, processing and analysis of information in a concise and effective manner; (3) confirm the business purpose, and indeed business need, for the third parties; (4) have a high level management review of all high risk foreign business partners; (5) include in your written contract, FCPA terms and conditions, including an affirmation of FCPA compliance; and (6) manage the foreign business partner relationship with an internal management sponsor.

3. Ineffective Accounts Payable Payment and Review

This area involves the review and appropriate authorization of funds prior to disbursement. The authors noted that vendor set up and management procedures were not well documented in the cases they reviewed and that company processes across wide geographic areas may not have the appropriate “checks and balances.”  The authors found the following internal control weaknesses in this area:

  • Inappropriate payments made to agents under the guise of commissions, fees or legal services.
  • Payments for professional services where no back up was provided by the vendor.
  • Services were paid under contracts where such services were not addressed.

As remedies for these issues, the authors suggested that the classification of payments is critical. Additionally supporting documentation must be a part of any request for payment but there must be an appropriate review and approval process followed for any disbursements. Finally purchase orders must be matched with contracts for validation prior to payment.

4. Ineffective Financial Account Reconciliation and Review

The books and records component of the FCPA, together with the accounting control provisions mandate that documentation on transactions must not only record the transaction but also adequately describe it to alert the reviewer to possible violations. In their white analysis, the authors found several examples of ineffectual financial account reconciliation and review, which included:

  • Inflated revenues through improper schemes.
  • Recording of false entries by a subsidiary that was rolled up to a parent.
  • False invoices were paid.
  • Improper recordation of payments in various ledger accounts.
  • Lack of appropriate documentation for disbursements.

The authors advised that companies should enhance financial reconciliation and review for FCPA compliance. Policies and procedures must be established and followed to help ensure accurate bookkeeping and accounting. Lastly, all transactions must have and be supported by appropriate documentation.

5. Ineffective Commission Payment Review and Authority

The authors noted instances of the lack of procedures to verify the payments of commissions to foreign business partners. These failures led to instances of bribery of a foreign governmental official by the foreign business partner. From their review the authors noted some of the following internal control weaknesses which led to a high number of enforcement cases in this area:

  • Mission creep by foreign business partners in that the duties they carried out were not assigned within or by the contract.
  • Misleading information was presented to company internal auditors regarding the amount of commissions paid by foreign business partners.
  • Commission payments were inflated so that foreign business partners could provide kickbacks to foreign government officials.

To assist in this area the authors stressed the need for a review of all relevant information prior to making a commission payment. This would start with a review of the contract to ascertain if the agent was entitled to a commission, the amount of the commission and whether the work described met the contractual strictures. Care should be taken that all payments are made to the named contract counter-party and not an unnamed third party. The payment location should be verified to make certain no offshore payments are made. Lastly the authors suggest training for any third party representatives to ensure their understanding of the requirements of the FCPA and any other relevant anti-bribery and anti-corruption laws applicable.

This white paper is an excellent source of information the lack of internal controls which have led other companies into FCPA troubles. It provides some solid recommendations for the specific controls that a company should put into place. We commend the authors for their research and suggestions for best practices moving forward.


Stephen Martin and I will be continuing our FCPA presentations, hosted by World Check next week. All of the events are free and CLE is provided. If you are in one of these areas I hope you can join us.

Tuesday, April 5-Portland. For details, click here.

Wednesday, April 6, Seattle. For details, click here.

Thursday, April 7, Denver. For details, click here.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Blog at WordPress.com.