Cost-Effective Intermediary Monitoring and Auditing

Read Part 5 here.

Years ago, a friend of mine recounted for me his first law school class. He and his fellow classmates had assembled and were seated in the lecture hall. There was a buzz of anticipation as they awaited the professor’s arrival. Posted in the front of the room above the chalkboard was a very conspicuous “No Smoking” sign.

The students were puzzled when a pudgy, gray-bearded law professor strode into the classroom puffing away on a very large cigar. He stood for several minutes eyeing the first-year students as the room became foggy with smoke. After some time had passed, he asked in a craggy old voice, “What is the law?”

After a minute of befuddled silence, he pointed to the no smoking sign with his cigar and said, “Is that the law? Is a law really a law when it is not enforced?”

This same question can be asked regarding your intermediary contracts. No matter how well-crafted, the words on the paper mean nothing unless you put in place a meaningful monitoring and auditing program to verify intermediary compliance. Not surprisingly, the DOJ and SEC share these sentiments. The second edition of the DOJ’s and SEC’s “Resource Guide to the U.S. Foreign Corrupt Practices Act,” released on July 3, 2020 states:

“[C]ompanies should undertake some form of ongoing monitoring of third-party relationships. Where appropriate, this may include updating due diligence periodically, exercising audit rights, providing periodic training and requesting annual compliance certifications by the third party.”

As is typical of most government guidance, it is long on the “what,” but short on the “how.”

Ideally, you might meet DOJ and SEC expectations by investing in the creation of a dedicated, multidisciplinary cadre of professionals to perform this work full time. If you have the resources and management support to do this, count yourself among the lucky few. If not, you will need to develop a commercially reasonable, cost-effective monitoring and auditing program that is sustainable and yields meaningful, actionable performance data. I recommend such a program comprise the following four elements:

1. First-party monitoring,
2. Third-party monitoring,
3. Risk-based audits and
4. Annual due diligence questionnaire updates and compliance certifications.

First-Party Monitoring

First-party monitoring is the ongoing company oversight of intermediary activities by the individuals assigned to mediate your company’s relationship with the intermediary. Ideally, such monitoring would be comprised of periodic site visits, meetings with intermediary management and open discussions about any compliance issues the intermediary might be encountering in performing their work. The idea is to fold compliance considerations into routine business discussions with your intermediaries and to have an eye out for red flags during such interactions.

Do not presume that your business colleagues know how to perform this work or that they share your enthusiasm for monitoring intermediary compliance with contract terms, the law and ethical business practices. If your company is like most, your staff have a lot on their plate. For example, those charged with managing sales intermediaries must focus on myriad intermediary performance factors, like sales, revenue, territorial expansion and customer acquisition. Like the first-party due diligence practices described in Part 2 of this series, to ensure your business colleagues are performing this work, you will need to train them how to do it and get your management to set the expectations that it must be done.

Your success in selling first-party monitoring practices to your business colleagues will depend in part on whether you present to them a practical means of incorporating the work into their routine intermediary interactions. One way of achieving this objective is to provide your colleagues with practice aids such as checklists and reporting forms that can be completed with the click of a mouse and uploaded into your intermediary case management system to keep the compliance function and the business apprised of monitoring findings and to create a record that the work is being performed.

Third-Party Monitoring

Many of the firms that provide global intermediary due diligence services also provide monitoring services. Generally speaking, for a fee, these firms will continuously monitor hundreds of government databases for the names of your intermediaries and their principals. These services are designed to alert you to instances in which your intermediaries have been identified by government agencies as bad actors via your intermediary case management system. Such notifications will provide you timely information that will permit you to investigate such matters and, if necessary, sever relationships with intermediaries who have significant compliance issues.

As a practice note, when shopping for or setting up a third-party compliance monitoring program, be sure to get one that filters “false positive” hits to spare yourself hours of determining whether the “John Smith” on a government’s bad guys list is your “John Smith.” Also, make sure you understand the monitoring system’s limitations. Some systems may only monitor government databases, but not media reports or court decisions. If this is the case with your provider, you may need to supplement your intermediary third-party monitoring system with other resources. By way of example, in the past, I have retained outside law firms in jurisdictions like China to conduct quarterly searches of criminal cases for the names of company intermediaries.

Risk-Based Auditing

On-the-ground, in-person audits are by far the best way to determine whether your intermediaries are playing by the rules. However, for most companies, it is impractical and cost-prohibitive to audit every intermediary. So, to ensure you get the most bang for your buck, I recommend rank-ordering your intermediaries based on a set of risk factors. These could include:

• The corruption perception index of the country in which they operate,
• The frequency with which they interact with government officials,
• The intermediary’s compliance program strength and
• The intermediary’s annual sales revenue.

Once this risk-ranking exercise is completed, you will have a rational basis upon which to ground the selection of your audit targets and develop your audit plan. To further manage your costs and to ensure your intermediary audits are as productive as possible, I recommend you develop a sensible audit protocol and a standard reporting format with the object of directing your auditors to zero-in on specific intermediary activities that drive corruption risks. The following is a high-level outline detailing key audit protocol elements:

1. Forward to the intermediary a letter informing them of the audit, along with a questionnaire and request for documents regarding the following subject matter:
   • • Anti-corruption policy and employee training records,
     • Any value transfers to customers or government officials (charitable contributions, political contributions, grants, gifts, consulting contracts, travel, entertainment expenditures, etc.) and
     • General ledger activity related to company expenditures including petty cash spend records.
2. Review questionnaire and document responses, prior due diligence records and your company’s internal financial records related to the intermediary and plan audit scope.
3. Execute an on-site audit by your company’s audit team with the assistance of a local independent auditor with the necessary language skills and knowledge of applicable laws, accounting standards and local business practices.
   • • Review intermediary documents and financial records, and
     • Interview intermediary management and selected employees
4. Write a report summarizing audit findings, assessing:
   1. • The intermediary’s operations,
      • The intermediary’s anti-corruption policy and associated employee training program,
      • The quality of the intermediary’s books and records,
      • The intermediary’s interactions with and value transfers to customers and government officials and
      • Corruption red flags.

All such audit reports should be uploaded into your intermediary case management system and circulated to relevant business personnel as well as members of a corporate intermediary anti-corruption oversight team comprised of legal, compliance, finance and accounting professionals charged with regulating of all aspects of your intermediary anti-corruption program. This team should work with the business to take swift and decisive corrective action in response to any audit findings indicating the intermediary is likely engaged in corrupt business practices or is otherwise not complying with the terms of their intermediary agreement.

Annual Due Diligence Questionnaire Updates and Compliance Certifications

Like all businesses, intermediaries engage in mergers and acquisitions, change their names, move to new locations and make changes in their top leadership ranks. If you do not take active measures to ensure the accuracy of your intermediary database, it will become more and more out of date over time.

One strategy for maintaining the accuracy of your intermediary database is to ask all your intermediaries to review and update their due diligence questionnaire (DDQ) on an annual basis. Changes noted in the updated DDQ can then be used to update the third-party intermediary database and your enterprise resources planning records. I also recommend you incorporate into the DDQ update process a request that intermediaries certify that they have been, are currently and will conduct their business in compliance with the law, applicable ethics standards and the intermediary agreement.

No intermediary auditing and monitoring program can be expected to detect every corrupt act your intermediaries are committed to hiding from you, but it will provide notice to all your intermediaries that your firm is serious about its insistence on lawful and ethical business practices and let them know you are watching. It will also afford you some measure of protection should the DOJ or SEC come knocking on your door regarding potential FCPA violations by one or more of your intermediaries.