Many organizations overlook their ERP system as a “data-driven” line of defense. It is a transaction-based system that, if properly managed, can assist in preventing corporate failures or capturing illegal activities that can cripple an organization. It’s designed to protect an organization, small or large, private or public, from illegal activity.
In the wake of a succession of high-profile corporate scandals around the world, the Department of Justice and the Securities and Exchange Commission have become more aggressive in their investigations and enforcement of the Foreign Corrupt Practices Act. Hence, FCPA compliance remains a hot topic in boardrooms of responsible organizations that see fraud prevention on par with other critical initiatives in today’s skeptical and highly regulated environment.
Organizations must understand that the reach of the FCPA is long, and the penalties, both in the United States and in other countries where anti-corruption laws are enforced, can be stiff. Some violators will face jail time.
A recent offender received a prison sentence as well as restitution of $10.5 million for bribing government officials to secure a $6 billion natural gas contract for his company and its partners. Had the chief executive officer not cooperated, the incarceration could have been set at seven or more years.
So how do organizations know where to draw the line? What is bribery? And how can they determine whether they are in compliance and how technology can help? There are some grey areas.
Suppose an employee takes several people out to dinner and one or more fit the definition of a foreign official. Is an expensive dinner a violation of the FCPA? This question cannot be answered with the scant amount of information available. However, your ERP system enables you to flag the expense report and then send a follow-up questionnaire or take other measures to get more information and ensure your organization is FCPA compliant.
Maybe the dinner was just a rookie mistake. The ERP system can and should be tuned to catch it. It is a resource to show that you have the proper controls and procedures in place to detect potential missteps. In addition, it demonstrates a deliberate and documented effort to comply.
Perhaps one dinner or incident might not be detected as a problem by your ERP system. However, it will alert you to patterns within a work group and vague or ambiguous relationships or job titles. It will detect when a group is engaging in more potentially harmful activity than one would normally expect. And it will identify employees who are rotating payments so that no one is singled out as a “big spender.”
Bribes can take many forms including cash, equipment, benefits, or anything of value that can influence. Additionally, dishonest employees are quite crafty at adapting their behavior if they know there are strong controls around petty cash disbursements. These variables can go easily undetected by manual systems. But ERP systems process enormous amounts of transactional data, and they do so with precision beyond the capabilities of any manual system.
The investigations and enforcement actions pursued by law enforcement officials often involve thousands — sometimes millions — of dollars. If programmed to do so, an ERP system will identify an anomaly involving a few hundred dollars or a few million. And if the transaction looks “fishy,” the system does not discriminate regarding corporate rank or the value of the transaction. “Fishy” is “fishy,” whether it is a relatively small amount or a substantial sum.
Many FCPA violations come to light during merger and acquisition activities. Acquiring companies can be held liable for FCPA violations; the same goes for joint ventures. Your ERP system is the data-driven engine for demonstrating your compliance with the FCPA. A real-time or near real-time system that demonstrates, quantitatively, your ability to manage this risk can only help increase the value (and decrease the apparent risk) should your company be a candidate for acquisition, merger, joint venture, or minority stake purchase.
Likewise, lessons learned while making full use of your ERP’s capabilities in combating fraud will provide invaluable insight for due diligence in your M&A activities. Your legal and regulatory experts should play a role in developing your holistic approach to risk management, and they need to be familiar with the capabilities and information potential that a well-tuned, real-time ERP system can provide.
Organizations need to know what happened, when it happened, who was involved, why the transaction took place, and the value of the transaction. The system can identify patterns. People often take the path of least resistance, and often they will continue on that path, regardless of how many switch-backs, phony invoices, and clever pay-offs are involved. Bribes take place for a reason; they are seldom random occurrences. An assumption that has proved valid in many instances is that a bribe is rendered to gain a favorable outcome that otherwise might not be gained. Quite frankly, it might raise suspicion as to whether success is hard earned or contrived.
Success is admirable; we all look up to the outstanding performer. But unexpected success is, in itself, potentially a red flag. Success can point to an inherent vulnerability if that success does not ring true. Because all transactions flow through the ERP system, use the system to ensure success is earned. Under federal alternative fine provisions, companies and individuals may be fined up to twice the benefits sought or received, enough to more than wipe out any ill-gotten gains.
To protect your organization, take full advantage of the substantial advantages that transaction-based ERP systems provide.
When you combine continuous monitoring with data analytics — such as the kind that look for patterns amid the seemingly chaotic atmosphere of multinational business — you have a powerful tool to detect and respond to all kinds of risks and opportunities, not the least of which is protecting your company from the substantial risks of FCPA noncompliance. Stay tuned: more on continuous monitoring and data analytics to come in our next article in this series.
About the Author
Joe DeVita is a partner with PricewaterhouseCoopers, based in the New York Metro area, and leads the governance, risk and compliance (GRC) technology practice for PwC. Joe works with clients to improve and optimize controls around the financial reporting processes, including business process and IT management controls and IT Security and governance reviews. He also assists clients with application selection, implementation, and optimization of Oracle applications including Oracle E-Business Suite and Oracle GRC Suite.
- Assisting our clients to optimize their risk and internal control activities, including SOX readiness/optimization activities, through assessing the effectiveness of internal controls, ensuring alignment with the organizations business objectives and risks and using control activities to drive process improvement and enhanced business value
- Custom developing and deploying solutions for clients to facilitate various processes not captured in the core ERP environments.
- Ensuring IT is aligned to organizational strategy, responsive to a changing business climate, with clearly defined policies and procedures that take into account legal and regulatory compliance requirements
- Enhancing the process of developing robust controls around pre- and post-implementation system reviews through a clearly defined project management methodology that emphasizes the importance of benefits management
- Performing third-party and other opinion-level services in response to service organization requests from customers for information about internal controls or requests for access to audit (generally in accordance with contractual agreements)
- Assisting ERP clients to optimize and sustain a real-time controls environment at an enterprise level. We evaluate the effectiveness of current controls and develop a plan to rationalize financial and operationally significant controls. We subsequently design and implement a full range of simplified, standardized controls within core business applications that enables the company to document, monitor and continuously assess the effectiveness of those controls in a real-time environment