Wednesday, March 3, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Cost-Effective Intermediary Monitoring and Auditing

The Anti-Corruption Survivor’s Guide to Third-Party Intermediary Life Cycle Management, Part 6

by Jim Nortz
November 13, 2020
in Compliance, Featured
Cost-Effective Intermediary Monitoring and Auditing

Monitoring your intermediaries can be an expensive endeavor. Jim Nortz explores how to keep an eye on your intermediaries without breaking the bank.

Read Part 5 here.

Years ago, a friend of mine recounted for me his first law school class. He and his fellow classmates had assembled and were seated in the lecture hall. There was a buzz of anticipation as they awaited the professor’s arrival. Posted in the front of the room above the chalkboard was a very conspicuous “No Smoking” sign.

The students were puzzled when a pudgy, gray-bearded law professor strode into the classroom puffing away on a very large cigar. He stood for several minutes eyeing the first-year students as the room became foggy with smoke. After some time had passed, he asked in a craggy old voice, “What is the law?”

After a minute of befuddled silence, he pointed to the no smoking sign with his cigar and said, “Is that the law? Is a law really a law when it is not enforced?”

This same question can be asked regarding your intermediary contracts. No matter how well-crafted, the words on the paper mean nothing unless you put in place a meaningful monitoring and auditing program to verify intermediary compliance. Not surprisingly, the DOJ and SEC share these sentiments. The second edition of the DOJ’s and SEC’s “Resource Guide to the U.S. Foreign Corrupt Practices Act,” released on July 3, 2020 states:

“[C]ompanies should undertake some form of ongoing monitoring of third-party relationships. Where appropriate, this may include updating due diligence periodically, exercising audit rights, providing periodic training and requesting annual compliance certifications by the third party.”

As is typical of most government guidance, it is long on the “what,” but short on the “how.”

Ideally, you might meet DOJ and SEC expectations by investing in the creation of a dedicated, multidisciplinary cadre of professionals to perform this work full time. If you have the resources and management support to do this, count yourself among the lucky few. If not, you will need to develop a commercially reasonable, cost-effective monitoring and auditing program that is sustainable and yields meaningful, actionable performance data. I recommend such a program comprise the following four elements:

  1. First-party monitoring,
  2. Third-party monitoring,
  3. Risk-based audits and
  4. Annual due diligence questionnaire updates and compliance certifications.

First-Party Monitoring

First-party monitoring is the ongoing company oversight of intermediary activities by the individuals assigned to mediate your company’s relationship with the intermediary. Ideally, such monitoring would be comprised of periodic site visits, meetings with intermediary management and open discussions about any compliance issues the intermediary might be encountering in performing their work. The idea is to fold compliance considerations into routine business discussions with your intermediaries and to have an eye out for red flags during such interactions.

Do not presume that your business colleagues know how to perform this work or that they share your enthusiasm for monitoring intermediary compliance with contract terms, the law and ethical business practices. If your company is like most, your staff have a lot on their plate. For example, those charged with managing sales intermediaries must focus on myriad intermediary performance factors, like sales, revenue, territorial expansion and customer acquisition. Like the first-party due diligence practices described in Part 2 of this series, to ensure your business colleagues are performing this work, you will need to train them how to do it and get your management to set the expectations that it must be done.

Your success in selling first-party monitoring practices to your business colleagues will depend in part on whether you present to them a practical means of incorporating the work into their routine intermediary interactions. One way of achieving this objective is to provide your colleagues with practice aids such as checklists and reporting forms that can be completed with the click of a mouse and uploaded into your intermediary case management system to keep the compliance function and the business apprised of monitoring findings and to create a record that the work is being performed.

Third-Party Monitoring

Many of the firms that provide global intermediary due diligence services also provide monitoring services. Generally speaking, for a fee, these firms will continuously monitor hundreds of government databases for the names of your intermediaries and their principals. These services are designed to alert you to instances in which your intermediaries have been identified by government agencies as bad actors via your intermediary case management system. Such notifications will provide you timely information that will permit you to investigate such matters and, if necessary, sever relationships with intermediaries who have significant compliance issues.

As a practice note, when shopping for or setting up a third-party compliance monitoring program, be sure to get one that filters “false positive” hits to spare yourself hours of determining whether the “John Smith” on a government’s bad guys list is your “John Smith.” Also, make sure you understand the monitoring system’s limitations. Some systems may only monitor government databases, but not media reports or court decisions. If this is the case with your provider, you may need to supplement your intermediary third-party monitoring system with other resources. By way of example, in the past, I have retained outside law firms in jurisdictions like China to conduct quarterly searches of criminal cases for the names of company intermediaries.

Risk-Based Auditing

On-the-ground, in-person audits are by far the best way to determine whether your intermediaries are playing by the rules. However, for most companies, it is impractical and cost-prohibitive to audit every intermediary. So, to ensure you get the most bang for your buck, I recommend rank-ordering your intermediaries based on a set of risk factors. These could include:

  • The corruption perception index of the country in which they operate,
  • The frequency with which they interact with government officials,
  • The intermediary’s compliance program strength and
  • The intermediary’s annual sales revenue.

Once this risk-ranking exercise is completed, you will have a rational basis upon which to ground the selection of your audit targets and develop your audit plan. To further manage your costs and to ensure your intermediary audits are as productive as possible, I recommend you develop a sensible audit protocol and a standard reporting format with the object of directing your auditors to zero-in on specific intermediary activities that drive corruption risks. The following is a high-level outline detailing key audit protocol elements:

  1. Forward to the intermediary a letter informing them of the audit, along with a questionnaire and request for documents regarding the following subject matter:
      • Anti-corruption policy and employee training records,
      • Any value transfers to customers or government officials (charitable contributions, political contributions, grants, gifts, consulting contracts, travel, entertainment expenditures, etc.) and
      • General ledger activity related to company expenditures including petty cash spend records.
  2. Review questionnaire and document responses, prior due diligence records and your company’s internal financial records related to the intermediary and plan audit scope.
  3. Execute an on-site audit by your company’s audit team with the assistance of a local independent auditor with the necessary language skills and knowledge of applicable laws, accounting standards and local business practices.
      • Review intermediary documents and financial records, and
      • Interview intermediary management and selected employees
  4. Write a report summarizing audit findings, assessing:
      • The intermediary’s operations,
      • The intermediary’s anti-corruption policy and associated employee training program,
      • The quality of the intermediary’s books and records,
      • The intermediary’s interactions with and value transfers to customers and government officials and
      • Corruption red flags.

All such audit reports should be uploaded into your intermediary case management system and circulated to relevant business personnel as well as members of a corporate intermediary anti-corruption oversight team comprised of legal, compliance, finance and accounting professionals charged with regulating of all aspects of your intermediary anti-corruption program. This team should work with the business to take swift and decisive corrective action in response to any audit findings indicating the intermediary is likely engaged in corrupt business practices or is otherwise not complying with the terms of their intermediary agreement.

Annual Due Diligence Questionnaire Updates and Compliance Certifications

Like all businesses, intermediaries engage in mergers and acquisitions, change their names, move to new locations and make changes in their top leadership ranks. If you do not take active measures to ensure the accuracy of your intermediary database, it will become more and more out of date over time.

One strategy for maintaining the accuracy of your intermediary database is to ask all your intermediaries to review and update their due diligence questionnaire (DDQ) on an annual basis. Changes noted in the updated DDQ can then be used to update the third-party intermediary database and your enterprise resources planning records. I also recommend you incorporate into the DDQ update process a request that intermediaries certify that they have been, are currently and will conduct their business in compliance with the law, applicable ethics standards and the intermediary agreement.

No intermediary auditing and monitoring program can be expected to detect every corrupt act your intermediaries are committed to hiding from you, but it will provide notice to all your intermediaries that your firm is serious about its insistence on lawful and ethical business practices and let them know you are watching. It will also afford you some measure of protection should the DOJ or SEC come knocking on your door regarding potential FCPA violations by one or more of your intermediaries.


Tags: anti-briberydue diligencemonitoring
Previous Post

Making a Speak-Up Culture Work in Your Organization

Next Post

Control Assurance During the Pandemic Era

Jim Nortz

Jim NortzJim Nortz is Founder & President of Axiom Compliance & Ethics Solutions LLC, a firm dedicated to driving ethical excellence by helping organizations implement effective compliance and ethics programs. Jim is a nationally recognized expert and thought leader in the field of business ethics and compliance with over a decade of experience serving multinational petrochemical, staffing, business process outsourcing, pharmaceutical and medical device corporations. Jim spent the first 17 years of his career as a criminal and civil litigator and Senior Corporate Counsel before becoming Crompton Corporation’s first Vice President, Business Ethics and Compliance in 2003. Since then, Jim has served as a compliance officer at Crompton and for five other multinational corporations, the most recent of which was as Chief Compliance Officer at Carestream Health. Jim has extensive experience in implementing world-class compliance and ethics programs sufficiently robust to withstand U.S. Department of Justice scrutiny. Jim is a frequent guest lecturer at the University of Rochester’s Simon School of Business, RIT’s Saunders School of Business, St. John Fisher College, Nazareth College and other law schools, universities and organizations around the country. Jim writes the monthly business ethics columns for the Association of Corporate Counsel Docket magazine and the Rochester Business Journal. Jim is a National Association of Corporate Directors Fellow, a member of the International Association of Independent Corporate Monitors and serves on the Board of Directors of the Rochester Chapter of Conscious Capitalism as the Board’s Secretary and Chair of the Governance and Nomination Committee. Previously, Jim served on the Board of Directors for the Ethics and Compliance Officers Association and the Board of the Rochester Area Business Ethics Foundation.

Related Posts

Thinking Outside the Tick Box

Thinking Outside the Tick Box: Compliance Training as a Competitive Advantage

March 3, 2021
The facade of the SEC in Washington, D.C.

Prepare Now to Comply with SEC’s Updated MD&A and Related Financial Disclosure Requirements

March 3, 2021
Illustration representing a facial recognition technology scan of a face.

Facial Recognition Technology in the Workplace: Employers Use It, Workers Hate It, Regulation Is Coming for It

March 3, 2021
A director contemplates information at her desk.

Key Concerns for Directors in 2021: Recovery from COVID-19 Is Top Priority

March 2, 2021
Next Post
closeup of Benjamin Franklin's face on the $100 bill wearing medical mask

Control Assurance During the Pandemic Era

OneTrust offers download to demonstrate privacy management leadership
Access realtime data
Addressing systemic racism in the workplace SAI Global
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence ESG fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights