Home » Compliance » Featured Article » Risk » Currently Reading:

How To Conduct an FCPA Assessment: Protect Overseas Assets By Adhering to FCPA Laws

by Denise Messemer @ 2009-07-27

Category: Compliance, Featured Article, Risk

(This article was contributed to Corporate Compliance Insights by Denise Messemer, a Director in the Investigations practice in the New York Office of PricewaterhouseCoopers.)

—————

How to Conduct an FCPA Assessment

How U.S. companies protect assets overseas by adhering to
laws that direct their actions in foreign countries.

Are your business operations risky? The answer to that all depends on how you define risk and your corporate risk appetite.

As companies grow and expand into emerging economies, one risk that has become more prevalent is that of corruption and bribery. To help combat bribery, the U.S. Foreign Corrupt Practices Act (FCPA), was instituted in 1977 and has three provisions: anti-bribery, accounting, and internal control.

The FCPA essentially prohibits providing or promising to provide anything of value to foreign officials in order to obtain or retain business or any improper advantage. The FCPA also requires issuers to keep accurate and transparent books and records and maintain a system of internal controls to ensure transactions are executed in accordance with management’s instructions.

Some of the risks of running afoul of the FCPA include: fines, penalties, nullification of contracts, debarment from government contracts, regulatory investigations, civil lawsuits, disgorgement of profits, damage to brand and reputation, management distraction, and incarceration of executives, amongst others.

Most countries have laws prohibiting bribery; however, enforcement history has not been consistent in most parts of the globe. This is likely the reason that companies repeatedly fall into the corruption trap, otherwise known as “local business practice.” However, the world is changing and the dichotomy between local leniency and US action is no longer the prevailing scenario. There has been an uptick in foreign enforcement and U.S. prosecutors are also reporting increased international cooperation. Acknowledgement of the assistance provided by foreign regulators is often explicitly mentioned in U.S. regulatory releases.

Siemens: Cooperation and Costs
  • The scope of Siemens’ internal investigation was unprecedented and included virtually all aspects of its worldwide operations, including headquarter components, subsidiaries, and regional operating companies.
  • Siemens has provided extraordinary cooperation in connection with the investigation of its past corporate conduct, and has undertaken uncommonly sweeping remedial action in response to the discovery of its prior misconduct. In addition, Siemens has provided substantial and timely assistance in the investigation of other persons and entities.
  • The investigative work has taken place in 34 countries and has involved over 1,750 interviews and over 800 informational meetings. Over 100 million documents have been collected and preserved, many of which have been searched or reviewed for evidence relevant to the investigation. Siemens, either directly or through Debevoise, has produced to the Department over 24,000 documents, amounting to over 100,000 pages.
  • At the outset of the internal investigation, Siemens instituted a worldwide data preservation policy directing that employees secure and preserve, among other things, all documents relating to financial transactions; all corporate books and records; records of any payments to government officials; and records concerning consultants, agents, or other third parties that assisted Siemens in obtaining business ……Siemens’ extensive efforts in preserving and making available documents from foreign countries have been exemplary and serve as a model to other multi-national companies seeking to cooperate with law enforcement authorities.
  • Since the beginning of the internal investigation, Siemens’ remediation efforts have been exceptional. Siemens has replaced nearly all of its top leadership, including the Chairman of the Supervisory Board, the Chief Executive Officer, the General Counsel, the Head of Internal Audit, and the Chief Compliance Officer. The Company has terminated members of senior management implicated in the misconduct uncovered by the investigation and has reorganized the Company to be more centralized from both a business and compliance perspective…Siemens also overhauled and greatly expanded its compliance organization, which now totals more than 500 full time compliance personnel worldwide.
  • Siemens has organized a working group devoted to fully implementing the new compliance initiatives, which consists of employees from Siemens’ Corporate Finance and Corporate Compliance departments, and professionals from PricewaterhouseCoopers (“PwC”). This working group developed a step-by-step guide on the new compliance program and improved financial controls known as the “Anti-Corruption Toolkit.”…Over 150 people, including 75 PwC professionals, provided support in implementing the Anti-Corruption Toolkit at 162 Siemens entities, and dedicated support teams spent six weeks on the ground at 56 of those entities deemed to be “higher risk,” assisting management in those locations with all aspects of implementation.
  • The reorganization and remediation efforts of Siemens have been extraordinary and have set a high standard for multi-national companies to follow. These measures, in conjunction with Siemens’ agreement to retain a Monitor (with support from a U.S. law firm with FCPA and compliance expertise) for a term of four years, highlight the serious commitment of Siemens to ensure that it operates in a transparent, honest, and responsible manner going forward.

Prosecutorial expectations of corporate compliance systems and behavior are very high. Those who are caught in the spotlight of an investigation can expect that the government’s knowledge of global business practices, and what can be done to change them, is equal to or greater than their own.

So what can you do to protect your business?

One starting point would be to take a look at recent enforcement actions to see where regulator expectations currently lie. Looking at the recent experience of some companies who have not lived up to regulatory expectations may make it easier to justify the costs of proactive preventative expenditures as less costly than a reactive remedial “fix”. 1

Another would be to look to the U.S. Federal Sentencing Guidelines (Guidelines), which is what prosecutors use when deciding whether to charge a company, and if charged, how much credit (reduction in culpability score), if any, is to be given. Credit is assessed based on the level of cooperation and responsiveness provided by a company as well as steps taken to remediate prior issues and strengthen controls on a go-forward basis. For one example of current regulatory expectations, see sidebar for excerpts from Siemens DOJ Sentencing Memorandum, dated December 12, 2008.

Key to protecting your assets is implementing a sustainable and integrated compliance structure. Compliance program elements, as inferred from recent enforcement activity and the Guidelines, include:

  • Clearly articulated policies and procedures, reasonably capable of reducing the prospects of violations
  • Unambiguous tone at the top
  • Assignment of compliance responsibility to appropriate senior managers
  • A system for reporting suspected violations
  • Appropriate disciplinary (and incentive) mechanisms
  • Periodic training
  • Due diligence on third parties, in particular those acting as Sales and Logistics Agents
  • Periodic reviews of corporate policies
  • Compliance monitoring, including field visits and other forms of on-site inspections

Many companies have most of the above elements in place, at least to varying degrees. However, one of the program elements many companies often find difficult to demonstrate is proactive and regular compliance monitoring, internally and/or at third parties. This may be a result of under-appreciating the risks posed by operating in certain economies during the planning and budgeting process for compliance monitoring, or it may result from a misunderstanding of regulatory expectations relating to such programs.

In today’s cost-containment environment, companies may be tempted to cut compliance budgets and/or resources. This in itself is a risky scenario, especially in light of the additional pressures placed on sales organizations to make targets. What then can a company do to balance rising expectations on the government side, and increased enforcement efforts, with responsible cost management?

The first step is in conducting a risk assessment. These assessments need to be tailored to your specific industry. Combining qualitative and quantitative inputs when assessing risk often provides insightful information. Items often considered when assessing risk include:

Quantitative

Qualitative
  • Geography: Transparency International Corruption Perception Index
  • Sales volume: Private vs. Government
  • Use of third parties in sales / logistics
  • Commission rates and amounts
  • Client entertainment costs
  • Management experience / turnover
  • Prior history of issues
  • Current hotline issues
  • Sophistication of accounting system(s)
  • Existence of other red flags

Once you have the results of this assessment, a pragmatic approach to prioritizing locations and initiatives (e.g., training) should be taken. Regulators understand that you can’t do it “all at once” and so want to see a sound, logical methodology or approach to a current and go-forward action plan. The following is a sample of some of the first steps to be taken when developing a compliance framework.

Identify and focus on high risk

  • Territories
  • Customers (government-related)
  • Sales model (use of third parties such as agents or distributors) or practices (gift giving, facilitation payments)
  • Employees (government facing)

Assess current-state compliance program (functions, policies, procedures and practices)

  • Compliance organization (size, reporting, responsibilities)
  • Communication
  • Training
  • Policies: cash, travel, gift, entertainment, facilitation payments
  • Third party due diligence, retention and contracting
  • Existence of hot-line and/or help-line

Monitoring / Enforcement Efforts

  • FCPA Compliance Assessments / Audits
  • Management reporting of compliance activities / results
  • Management response to violations (of company policy or law)

FCPA Compliance Assessments are generally performed by a combination of a company’s internal audit group and legal/compliance group. When resources are constrained, either in number or relevant experience, companies often seek the assistance of forensic accounting firms. Whatever the team make-up, FCPA Compliance Assessments 2 should include:

  • Assessing the existence and effectiveness of policies (levels of authority, charitable contributions, petty cash, gifts, travel, retention of third parties, entertainment, facilitation payments, etc.) both at the corporate and local levels
  • Assessing management communication / tone at the top
  • Assessing employees’ understanding of anticorruption related policies and procedures
  • Reviewing prior internal audit or compliance findings
  • Interviewing select members of management and/or employees
  • Obtaining and analyzing financial data. Points to consider in relation to financial data include:
      – There is no materiality when it comes to assessing potential violations
      - Locations may have different accounting platforms and varying levels of sophistication
      - Data privacy and protection laws can significantly delay the collection and analysis of data.
  • Performing transaction testing (compliance sensitive accounts looking for existence of red flags and/or potential violation(s) of company policy or law)
  • Reviewing agreements with third parties.
  • Reviewing sales contracts
  • Reporting
      – Special consideration needs to be given to reporting. Consultation with counsel is recommended. Counsel should determine: whether the assessment should be conducted under privilege, report recipients, report content and the process for reporting identification of potential violations.

Obviously, spending time and money ensuring compliance with appropriate business practices can be perceived as unproductive and some may question the benefits. This is why, to be successful, commitment to appropriate principles must come from the very top of an organization. Benefits of implementing an integrated compliance framework, including regular monitoring include:

  • Achieving company business goals without violating laws
  • Enhancing the ability to detect and deter violations of the FCPA and other foreign anti-corruption laws
  • Demonstrating a commitment to lawful business practices
  • Reducing the likelihood or avoiding:
      – Loss of business (e.g., debarment, cancelled contracts)
      - Business disruption and management distraction
      - Damage to brand reputation
      - Monetary fines
      - Incarceration of executives

Enforcement trends have shown that the old adage “an ounce of prevention is worth a pound of cure” is more relevant now than ever before.

**********

About the Author

Denise Messemer has over 19 years of professional experience. She is a Director in the Investigations practice in the New York Office of PricewaterhouseCoopers. She provides specialized advisory services to attorneys and their clients and senior company management.

This document is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

———-

References Cited:

1 – Siemens, in its Form 20-F for the fiscal year ended September 30, 2008, reported that “Expenses for outside advisors engaged in connection with investigations into alleged violations of anti-corruption laws and related matters as well as remediation activities were €510 million in fiscal 2008 compared to €347 million in the prior year. This presumably would have been much less costly if the company was in a pro-active rather than a re-active mode.
2 – FCPA Compliance Assessments, as referred to here, are assessments of a company’s location, division, department, etc. Assessments can also be performed on third parties (e.g., audit rights). The steps performed in “auditing” a third party are similar to the ones mentioned here, but can also differ in many respects.

Print

Tags: , , , ,


WallStreetBlips: vote it up!



Corporate Compliance Insights was founded by Maurice Gilbert, the Managing Director
of Conselium, a premier global executive search firm for compliance.

Enter your email address to subscribe to the CCI Daily Digest:


Delivered by FeedBurner, Corporate Compliance Insights, and the Conselium compliance search group




Comment on this Article:







Subscribe and Follow

Categories

FCPA Compliance: Featured Column by Mike Koehler

Friday FCPA Roundup

September 3, 2010

Is BAE’s Monitor Independent?

September 2, 2010

Inside A Merger

September 1, 2010

Christopher Conte To Steptoe & Johnson

August 31, 2010

“We May Not Have Conducted Our Business In Compliance With The FCPA”

August 30, 2010

Archives