FCPA Compliance and Ethics Blog

May 11, 2011

What are the Essentials for a FCPA/Bribery Act/OECD Compliance Program?

In a recent article entitled, “Bribery and Corruption Compliance: the Playing Field Levels”, Timothy Coleman and Paul Lomas, attorneys from the law firm of Freshfields Bruckhaus Deringer discuss what they term the “tectonic shift” in anti-bribery and anti-corruption compliance internationally. The authors posit that increased enforcement of the US Foreign Corrupt Practices Act (FCPA); the release of the Organization of Economic Cooperation and Development (OECD) Good Practice Guidance on Internal Controls, Ethics and Compliance (OECD Good Practices); and the impending July 1 implementation date of the UK Bribery Act, have all acted to place “new burdens” on companies to have the highest standard of anti-bribery corruption programs in place.

The requirements of the FCPA are interpreted through the US Sentencing Guidelines, various Deferred Prosecution Agreements and Department of Justice Opinion Releases. The Bribery Act is interpreted through Guidance released by the UK Ministry of Justice. The OECD Good Practices contain its own commentary on interpretation. Using these documents, collectively called “the Sources” we will discuss the authors’ ten essential elements an anti-bribery and anti-corruption compliance program. The ten elements formulation is as follows:

  1. Risk Assessment-as all three of the Sources, speak to the need for risk assessments, the authors recommend that a company annually assess its risk for bribery and corruption and use this assessment as a guidelines to take steps to reduce the overall risk of such conduct.
  2. Implementation Generally-while the OECD Good Practices does not specifically address this element, it is contained within the FCPA and Bribery Act. The FCPA most generally says that an anti-corruption policy should be implemented while the Bribery Act more specifically recommends the embedding of “reasonable policies and procedures throughout the organization with an eye towards practical business issues.”
  3. Participation-this means involvement by all levels of an organization; including (a) appropriate ‘tone at the top’; (b) senior level involvement; (c) individual responsibility and (d) company-wide culture.
  4. Policies and Procedures-all three Sources require that written policies and procedures form the cornerstone for any anti-corruption and anti-bribery program. Care should be taken that it be written in plain English and not “by lawyers-for lawyers.”
  5. Enforcement-this is defined as internal company enforcement and here the authors point to not only ongoing monitoring, auditing and assessment but also granularity down to the individual employee level. There should be both a ‘carrot and stick’ approach so that employees are disciplined for compliance failures but also rewarded (and seen to be rewarded) for doing business through appropriate compliance avenues.
  6. Reporting and Response-under the FCPA, an anonymous reporting Hotline should be a component of a company’s overall compliance program. The Bribery Act calls it a ‘speak up’ line but whatever it is called, there should be recognized reporting mechanisms in place that allow an employee to report allegations of bribery and corruption and protections in place to guard against retaliation for such reporting.
  7. Third Party Compliance-all robust anti-bribery and anti-corruption programs discuss the risk of third parties. They all agree that this risk must be properly evaluated, investigated and managed going forward. Appropriate due diligence must be performed and compliance terms and conditions are important with all third parties. General oversight after the contract is signed is also a key element.
  8. Training-all the Sources of guidance state that training of a company employees, with an annual certification, is an important part of an effective anti-bribery and anti-corruption program. The Bribery Act extends this training to third parties.
  9. Periodic Review-it is important for a company to engage in a review on no less than an annual basis. The Sources list several areas that should be assessed. A company should determine if its overall program in effective both internally and externally. Additionally, if there are new best practices a company should assess whether those concepts should be brought into its anti-bribery and anti-corruption program. If a company moves into a new business areas or a new geographic area, these new risks should be assessed, evaluated and managed as well.
  10. Record Keeping and Internal Controls-both the FCPA and Bribery Act have language that makes clear that not only must books and records adequately reflect a company’s expenses but that internal controls are key defense and preventative measure against bribery and corruption.

The authors then advocate a three step implementation plan for an anti-bribery and anti-corruption program. This three step approach being with (1) Strategic Planning-where risks are assessed and then resources are dedicated to ameliorating or managing the risks; (2) Written Compliance Policy-every company should commit its entire anti-bribery and anti-corruption program to writing and distributed company-wide and to appropriate third parties; and (3) Implementation Plan-after risks are assessed a company-wide implantation plan should be created to begin to implement the policy beginning with the highest risks first and moving step-by-step throughout the company.

We congratulate the authors for a thoughtful paper which is great use to the compliance practitioner. If your company is implementing a compliance program, this article lays out a clear road map that you can follow. However the paper is equally of value to the company which needs to assess or review its overall anti-bribery and anti-corruption program. The authors use of the FCPA interpretations, the Bribery Act Guidance and OECD Good Practices are references point throughout the piece which provide an excellent resource for the compliance practitioner to gauge an ongoing compliance program. We welcome the authors’ contribution.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

March 22, 2011

Internal Controls under the UK Bribery Act and FCPA

Although much is still unclear about the implementation date, or the manner in which the UK Bribery Act will be enforced, it is clear that one of the important compliance functions which a company should implement is appropriate internal controls. The previously released Consultative Guidance had the following language regarding internal controls, “Businesses should also consider how their existing internal company procedures can be used for bribery and corruption prevention. For example, financial and auditing controls, disciplinary procedures, performance appraisals, and selection criteria can act as an effective bribery deterrent.”

Internal controls are a key component of any best practices compliance program, whether based upon the Foreign Corrupt Practices Act (FCPA); OECD Good Practices or another local law. Appropriate controls are always needed for the reason that if a compliance program relies simply on the issuance of compliance policies, and on the honesty of a company’s employees, a company may get lucky and avoid a violation but a it will not have an effective compliance program.

Internal controls means more than simply financial and auditing controls. As noted by the UK Bribery Act Consultative Guidance, internal controls should also be applied to other areas of a company’s overall program. Internal controls can provide a check on employee training, certification and testing; issues related to employee performance, such as performance appraisals and disciplinary procedures; and third party due diligence and administrative procedures.

As recently as last week, yet another enforcement action was announced by the Securities and Exchange Commission (SEC) for violation of the books and records component of the FCPA. The SEC agreed to a settlement related to a finding that IBM’s internal controls were inadequate. Improper payments were made to South Korean officials and improper travel and entertainment was paid for Chinese officials. All the payments were by subsidiaries for which IBM was held responsible.

Within the FCPA, the requirements of the books and records provision requires that a company keep detailed books and records which fairly reflect the company’s transactions and disposition of assets. While many companies are familiar with external auditors, who consider materiality to financial statements when determining an audit scope and where the audit focus is the fairness of the presentation of financial statements in all material aspects. They are also experienced with audits for Sarbanes-Oxley (SOX) purposes, which allow exclusion of coverage for immaterial processes and locations and the focus is more directed to the avoidance of material misstatements in the financial statements. However, this materiality issue does not arise under the books and records provisions of the FCPA. Put another way – there is NO materiality consideration – either in the transaction amount or the size of the operations.

Effective controls generally mean that a company’s controls are designed to meet specific objectives. A company’s internal control system should include measures to ensure that controls are consistently and accurately performed. A company should maintain internal accounting controls which provide reasonable assurance that:

  • Transactions are properly authorized;
  • Transactions are accurately recorded;
  • Accountability for assets is maintained; and
  • Unauthorized access to assets is prevented.

It is important that a company assesses its internal accounting controls at regular intervals. This means that a company should compare the recordkeeping for assets to an inventory of the actual physical assets. If there are discrepancies, remedial action should be taken. Some examples of this can be physical inventory counts, fixed asset counts and cash reconciliation.

Last week’s SEC enforcement action against IBM drove home yet again the importance of adequate books and records in any FCPA compliance program. Internal controls are a key element in providing sufficient records. An overlooked part of the UK Bribery Act is that all companies subject to its rules and regulations must have an adequate internal controls program, encompassing areas much broader than adequate books and records. These areas should be assessed and remedial action taken to correct any deficiencies as  part of a company’s ongoing assessment and compliance program update.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

« Previous Page

Blog at WordPress.com.