“Controlling” FCPA Risk: Assessing Internal Controls to Ensure Risk is Mitigated

(The following article was contributed to Corporate Compliance Insights by Kelly Gentenaar and William Olsen of Grant Thornton LLP. Ms. Gentenaar is a Manager of Forensic Accounting and Investigative Services. Mr. Olsen is a Principal in the Economic Advisory Services Practice. The authors can be contacted at the following email addresses: Kelly.Gentanaar[at]gt[dot]com and William.Olsen[at]gt[dot]com.)

—————

“Controlling” FCPA Risk

Assessing Internal Controls to Ensure Risk is Mitigated

History and Trends

Congress initially passed the Foreign Corrupt Practices Act (“FCPA” or the “Act”) in 1977 as a result of SEC investigations that revealed that more than 400 U.S. companies admitted making questionable or illegal payments – totaling in excess of $300 million – to foreign government officials, politicians, and political parties. At a turbulent time in American history, the Act was intended to restore public confidence in the integrity of the American business system. It is doubtful that Congress could have foreseen the unprecedented globalization of the world’s economy that has transpired over the past 30 years and the impact the Act would have on global commerce and subsequent anti-corruption legislation in other countries and regions.

In the age of global corporations, compliance professionals cannot afford to simply be reactive when a potential FCPA violation occurs. They must be proactive advocates of a control environment that prevents FCPA violations.

During the past several years, the FCPA has enjoyed an unprecedented spotlight as the U.S. Securities and Exchange Commission (“SEC”) and the U.S. Department of Justice (“DOJ”) have increasingly turned to the Act to penalize domestic and overseas companies – as well as individuals – suspected of bribing foreign officials to secure business. The DOJ and the SEC initiated 38 FCPA matters in 2007, as compared to only 6 in 2003. In 2008, FCPA matters initiated totaled 25. In the first six months of 2009, 19 enforcement actions were initiated by the SEC and DOJ. Additionally, fines and penalties related to FCPA matters have increased dramatically.

The Siemens AG settlement announced on December 15, 2008 was the largest settlement to date at $1.6 billion. At the announcement of the Siemens settlement, Linda Chatman Thomsen, Director of the Division of Enforcement of the SEC, noted that the SEC portion of the settlement ($350 million) was 10 times larger than the largest prior SEC FCPA settlement. As the number of investigations and settlements continues to grow, it is critical for companies, and specifically compliance professionals, to ensure the appropriate control environment is established, maintained and monitored.

FCPA Provisions

When assessing controls it is important to remember that the FCPA contains two separate aspects: anti-bribery and accounting provisions.

The anti-bribery provisions make it unlawful to make a payment to a foreign official (including candidates for office or political parties) for the purpose of obtaining or retaining business or an improper business advantage.

The accounting provisions require that companies maintain books, records, and accounts which accurately and fairly reflect, in reasonable detail, the transactions and dispositions of assets of the company. Companies are also required to devise and maintain a system of internal accounting controls that provide reasonable assurance that transactions are executed in accordance with management’s general or specific authorization.

Transactions must be recorded to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements. Accountability of assets must be maintained. Access to assets must only be permitted in accordance with management’s general and specific authorization. The recorded accountability for assets must be compared with the existing assets at reasonable intervals, and appropriate action must be taken with respect to differences.

Failed Controls

On May 29, 2009, the SEC settled an enforcement action against Thomas Wurzel, the former president of ACL Technologies, Inc. (“ACL”), and a related administrative proceeding against the former parent company of ACL, United Industrial Corporation (“UIC”). Both settlements were reached without the defendants admitting or denying the allegations.

The allegations against Mr. Wurzel stated that the former president authorized payments to an agent in order to secure contracts with the Egyptian Air Force (“EAF”). The administrative order against UIC stated, “…UIC lacked internal controls sufficient to detect or prevent improper payments such as those made by ACL to the EAF Agent.” Specifically, Mr. Wurzel was able to authorize large payments to the EAF Agent without meaningful substantiation or supporting documents.

Documentation provided by the EAF Agent indicated that the payments were for “consulting” or “marketing services,” without meaningful records detailing the services being provided. Furthermore, the initial payments (as early as 1997) were authorized to the EAF Agent in the absence of a written contract with the EAF Agent or documented due diligence having been conducted. Internal policies of UIC, instituted in 1999, required that any employee wishing to engage the services of a foreign agent submit due diligence forms prior to corporate counsel granting approval. Due diligence forms for the EAF Agent were not submitted until 2002. Additionally, although UIC’s regulatory compliance policy required certain representations specific to FCPA compliance to be included in contracts, these representations were not included in the EAF Agent’s contract until 2003.

As the UIC case illustrates, it is not enough to document internal controls through policies. In order to ensure compliance with the FCPA, the control environment must be cultivated through clearly articulated and monitored control activities that prevent management override. Furthermore, monitoring of internal controls needs to be vigilant and substantive to ensure that policies and procedures are followed in all cases. Compliance professionals should be aware that creating a documented anti-corruption program does not in and of itself create a control environment.

Controls Assessment

Controls must be assessed for both design and operating effectiveness. The accounting provisions of the FCPA do not specifically call for the development of FCPA-related control activities. The elegance of the Act is that the books and records provisions implicitly promote an environment where violations of the anti-bribery provisions do not occur.

In conducting an FCPA controls assessment, one must identify and understand the risk factors systemic to the industry and unique to the company. Simply stated: 1) where are you doing business; 2) who are you doing business with; and, 3) how are you doing business?

Where Are You Doing Business?

Conducting business in geographic locations where corruption risks are high necessitates a stronger level of control activity for those specific locations. Design of controls must take into account the risk profile of the countries where your company operates and known areas of corruption specific to your industry. Controls for countries or regions with high-risk profiles should include greater oversight of accounting and purchasing functions. Additionally, to determine if controls are operating effectively, monitoring of activities, through such means as internal audit, should be more frequent for higher-risk geographies.

Who Are You Doing Business With?

FCPA risks increase where your potential customers are government agencies or state-owned enterprises. If you do business with these types of customers, activities such as meals and entertainment or travel related to customer demonstrations must be evaluated for FCPA implications. Controls should be established to identify government-related customers. Furthermore, controls must be implemented to identify expenses related to these customers and ensure appropriate authorization.

How Are You Doing Business?

The use of consultants or marketing personnel as “agents” to help develop business significantly increases FCPA risk. Policies and procedures for retaining and contracting agents should be developed and implemented. Due diligence on the agents should be conducted to ensure a solid understanding of the type of individual or vendor engaged to represent the company. Furthermore, documentation of payments to agents (such as banking details) should be compiled during contracting and compared to payment instructions received with invoices from the agent to ensure discrepancies do not exist.

Compliance professionals can be at the mercy of overseas operations for the identification of new vendors as agents. In order to ensure that all agents are identified prior to engagement, monitoring of general ledger accounts (such as consulting, marketing, and legal fees) should be conducted. Other types of transactions, such as charitable or political contributions, should require prior approval, and these general ledger accounts should be monitored. Additionally, controls should be implemented relating to regulatory relationships such as licenses, permits and other approvals. In addition to established business operations, controls must be assessed for FCPA implications in business acquisitions, joint ventures and business partnerships. Compliance professionals should be included in new business venture discussions to ensure that risks are appropriately mitigated before a new endeavor is undertaken.

Conclusion

Compliance with both anti-bribery and accounting provisions of the FCPA must be fostered through a strongly implemented control environment. Developing this environment is an enterprise-wide process that not only should include the compliance professionals of an organization, but also corporate officers, other management, the board of directors (particularly the audit committee), the finance department and internal audit. The “tone from the top,” communicated through corporate correspondence such as policies and procedures, actions of management, and training, is the foundation for the control environment.

Building from that foundation, control activities – designed appropriately and operating effectively – should be continually assessed to ensure that FCPA risks have been mitigated. Furthermore, as the company evolves with new business enterprises and the changing global economy, compliance professionals must provide input into the assessment of risks associated with new operations, whether related to new business or geography. Finally, control design, as well as control operating effectiveness, should be continually assessed in order to ensure that policy and procedural, and ultimately, regulatory compliance is obtained.

Having a robust anti-corruption program will not only assist an organization in detecting and deterring violations of the FCPA but also help in mitigating fines and penalties if violations do occur. Being able to demonstrate that top management set the proper tone from the top and was proactive in monitoring for compliance with anti-corruption policies and procedures will be very helpful when dealing with regulators and prosecutors and when trying to separate the actions of individuals from those of the organization.

Lastly, the financial impact of the loss in business reputation when a violation occurs can often be more severe than the fines and penalties for a violation. When all of this is taken into account it is apparent that there is a very strong business case for adopting a proactive approach to mitigating the risks of an FCPA violation.

**********

About the Authors

Kelly Gentenaar is the Manager of Forensic Accounting and Investigative Services for Grant Thornton LLP in Washington, DC. Ms. Gentenaar conducted and managed numerous Foreign Corrupt Practices Act (FCPA) investigations and compliance reviews. Her engagements involved the review of corporate records and governance policies to provide recommendations for enhancements of procedures within the context of an FCPA program. She provided overall anti-corruption internal controls review of large multi-national not-for-profit and managed an international team providing investigation of allegations of the bribery of foreign officials by key members of a Fortune 500 company. Ms. Gentenaar also participated in a major due diligence investigation of an international gaming company.

Bill Olsen is a principal in the Economic Advisory Services practice of Grant Thornton located in McLean, Virginia. Mr. Olsen is a former member of the Financial Crimes Bureau of the NJ Attorney Generals Office. He also served as a Global Manager of Risk and Security for a fortune 500 company. He was with Arthur Andersen prior to joining Grant Thornton. Many of his engagements included providing consulting or investigative services regarding the Bank Secrecy Act, False Claims Act and Foreign Corrupt Practices Act.

Tags: Compliance, fcpa, FCPA controls, FCPA risk, foreign corrupt practices act, Grant Thornton, internal controls, risk management, Siemens