i

Knowledge Briefing

Internal Auditing and the Foreign Corrupt Practices Act

April 2010

ii

Disclaimer Copyright © 2010 by The Institute of Internal Auditors located at 247 Maitland Avenue, Altamonte Springs, FL 32701, U.S.A. All rights reserved. Published in the United States of America. Except for the purposes intended by this publication, readers of this document may not reproduce, redistribute, display, rent, lend, resell, commercially exploit, or adapt the statistical and other data contained herein without the permission of The IIA. The information included in this document is general in nature and is not intended to address any particular individual, internal audit activity, or organization. Based on the date of issuance and changing environments, no individual, internal audit activity, or organization should act on the information provided in this document without appropriate consultation or examination.

About This Report As part of its services, The IIA will publish a series of reports on topics of appeal to chief audit executives (CAEs) and other internal auditors that provide leading practices based on survey results and other recommendations from audit professionals in the field. Please note that The IIA surveys referenced in this report are not statistically based and their results are not representative of the entire population of internal auditors. Rather, they are benchmarking surveys based on the responses of CAEs and other internal audit professionals who are members of The IIA‘s Global Audit Information Network (GAIN). In addition, results from these surveys are solely intended to provide information (i.e., tools, resources, and/or other knowledge) that is based on the responses of survey participants only.

iii

Table of Contents

About This Report ............................................................................................................................. ii Executive Summary .......................................................................................................................... 1

Leading Practices ...................................................................................................................... 2 Overview of the U.S. Foreign Corrupt Practices Act ......................................................................... 5 Recommendations for Effective FCPA Internal Audits ...................................................................... 7 Recommendations for Organizational Compliance ......................................................................... 11 Recommendations for Audit Committees ........................................................................................ 13 Emerging FCPA Compliance Trends .............................................................................................. 15

Key Survey Findings............................................................................................................... 15 Resources ....................................................................................................................................... 21

Official FCPA Information .................................................................................................... 21 Online Articles and Other Resources ................................................................................... 21

1

Executive Summary In 1977, the U.S. Congress enacted the U.S. Foreign Corrupt Practices Act (FCPA). The act is known primarily for two of its main provisions: one that addresses accounting transparency requirements under the U.S. Securities Exchange Act of 1934 and another for its anti-bribery provisions concerning foreign officials. Although the FCPA had a great level of impact on internal audit activities during the first couple of years after its enactment, interest dwindled during the 1980s as a new generation of internal auditors emerged. However, attention to the legislation has flourished once more among chief audit executives (CAEs) and internal auditors given the recent emphasis the U.S. Department of Justice (DOJ) and U.S. Securities and Exchange Commission (SEC) are placing on the legislation. During the past couple of years, the DOJ and SEC have stepped up their efforts to monitor compliance with the FCPA, leading to an increase in the number of cases brought against individuals and organizations. This greater emphasis has led to an increase in the number of noncompliance enforcement acts, including a US $1.6 billion fine settlement in 2009 by Siemens AG to U.S. and German regulators.

1

More specifically, this increased focus has led to the development of:

A specialized FCPA enforcement unit.

New approaches to uncover and prosecute fraud.

Greater multi-jurisdictional coordination.

Increases in fines, penalties, and recovery of proceeds. Furthermore, when fraud or bribery is found authorities now question what specific controls were in place for detecting FCPA violations and the CEO‘s, chief financial officer‘s (CFO‘s), and CAE‘s involvement in the failure to detect and prevent FCPA risk in the organization.

1 Compliance Week, ―Siemens Teaches Cos. FCPA Dos and Don’ts,‖ www.complianceweek.com/article/5234/siemens-

teaches-cos-fcpa-dos-and-don-ts

Key FCPA Recommendations Discussed in the Knowledge Briefing

The following leading practices and recommendations are explored in this Knowledge Briefing and can help CAEs and other internal auditors ensure their organization’s anti-corruption prevention and detection efforts pay close attention to this important legislation:

Recommendations for internal auditors include making

sure controls are properly designed, well established, and documented; coordinating FCPA and financial reporting control reviews; performing a risk assessment that identifies FCPA compliance risks; incorporating FCPA screenings as part of planned compliance audits; determining if the organization is providing training to employees dealing with FCPA compliance; and performing testing procedures as a scope area in audit engagements.

Recommendations for assessing FCPA risk areas include evaluating policies and procedures; analyzing risk factors; brainstorming potential violation schemes; and assessing the likelihood, significance, and pervasiveness of FCPA issues.

Recommendations for organizationwide compliance initiatives include implementing policies and procedures that identify corrupt practices, performing employee training, and monitoring procedures that identify when FCPA issues may occur.

Recommendations for audit committee members pertaining to FCPA compliance efforts include ensuring the organization’s code of conduct and policies outline the steps needed to achieve FCPA compliance; determining whether legal counsel and the CAE have access to expertise on FCPA issues; and assessing if FCPA testing is incorporated into the audit plan and risk assessments.

2

Leading Practices Following is a summary of the recommendations and leading practices discussed in this Knowledge Briefing obtained from CAEs and other sources of information: Recommendations for Internal Audit Activities. To ensure internal auditors are adding value to their organization‘s FCPA compliance efforts, CAEs should:

Ensure the internal audit activity is part of the compliance program during the beginning stages to make sure controls are properly designed, well established, and documented.

Recommend that the organization applies the Open Compliance and Ethic Group‘s (OCEG‘s) GRC Capability Model,

2 which can help organizations mature their approach to

anti-corruption.

Coordinate financial reporting control reviews and FCPA audits that look into anti-corruption processes, if these are separate activities.

Perform a risk assessment that identifies FCPA compliance risks.

Incorporate FCPA screenings as part of planned compliance audits.

Determine if the organization is providing training and education to employees dealing with FCPA compliance. This includes mandatory training sessions for all internal auditors.

Perform testing procedures as a scope area in internal audit engagements to confirm whether fraud controls and processes are working as intended or whether vulnerabilities exist.

Assessing FCPA Risk. Risk assessments often start with an evaluation of policies and procedures; an analysis of risk factors; the brainstorming of potential violation schemes; and an assessment of the likelihood, significance, and pervasiveness of FCPA risks. For more detailed analysis, however, internal auditors can consider the following qualitative and quantitative risk factors as part of the annual risk assessment effort:

The history of industry and company FCPA violations.

The company‘s geographic location and its corruption rating from Transparency International.

Each country‘s anti-corruption enforcement level and ongoing investigations or schemes.

Business unit susceptibility to FCPA violations related to the use of third parties.

Employee, vendor, and agent knowledge and awareness of FCPA rules.

Findings from previous transaction tests, audits, surveys, and hotlines.

Previous internal control deficiencies.

Recent business unit changes in management or business composition.

International business unit revenues.

The dollar amount and percentage of government business activities.

The number and dollar amount of accounts payable transactions.

Payments to third parties including sales agents and commercial agents.

Payments for professional services and discretionary, noninventory spending.

Growth rates.

Budget to actual variances and the nature of time and expense reporting.

2 GRC stands for governance, risk, and compliance.

3

Recommendations for Organizationwide Compliance Initiatives. At a minimum, FCPA compliance programs should have the following elements:

3

Clearly written policies and procedures that identify what is expected from employees and business partners with regards to anti-corruption compliance.

Human capital controls, including employee training.

Monitoring and reporting procedures, such as establishing an executive-level FCPA

review committee or an FCPA compliance officer or ombudsman, and developing

screening methods, checklists, and questionnaires to identify when FCPA issues may

occur and for use internally and with third-parties.

Recommendations for Audit Committees. The audit committee plays a vital role helping the

organization assess the effectiveness of FCPA compliance efforts and ensuring risks are taken

into consideration that could hinder compliance with the legislation. Consequently, the audit

committee should:

Inquire the CEO and CFO about the FCPA compliance program, including whether the organization‘s code of conduct and policies outline the steps needed to achieve FCPA compliance.

Inquire the CEO, CFO, legal counsel, and the CAE on the organization‘s plan should a violation occur as well as the process for disclosures and their timing.

Determine whether legal counsel and the CAE have access to expertise on FCPA issues, including the involvement of a third party that can provide recommendations to enhance the FCPA program‘s effectiveness.

Assess whether FCPA testing is incorporated into an internal audit program and risk assessment.

Ask senior management to provide evidence on the existence of: o A unified risk matrix that identifies and assesses corruption of fraud risk situations and

the controls established for each. o A mechanism to monitor compliance with the anti-corruption program. o Documentation of change management controls, if needed.

Make sure there is a management process in place that moves things through in a timely fashion in the event that a fraudulent event is identified.

Ascertain whether the organization‘s executive compensation policy clearly states how incentive-based pay will be determined and allocated.

Ensure FCPA compliance is included as part of the enterprise risk management (ERM) program, especially if the organization performs business transactions internationally.

Request that management obtain and present OCEG certification of the design and ultimate implementation of the anti-corruption program.

Benchmarking of FCPA Activities. Finally, The IIA performed a survey among GAIN members to obtain information regarding compliance efforts with the FCPA. The survey identified the following four key findings:

FCPA compliance efforts are taking a more prominent role organizationwide.

Internal auditors are becoming key players in their organization‘s FCPA compliance efforts.

3 DOJ Opinion Procedure Release 04-02, www.justice.gov/criminal/fraud/fcpa/opinion/2004/0402.pdf

(PDF, 23.6 KB) lists 12 elements for an effective anti-bribery compliance code, (PDF, 23.6 KB).

4

Training and coordination of compliance activities were identified as the top practices in ensuring compliance with the FCPA.

Risks assessments are a key component of the organization‘s FCPA compliance efforts. This Knowledge Briefing explores each of these leading practices, recommendations, and survey results in more detail.

5

Overview of the U.S. Foreign Corrupt Practices Act The FCPA, which was first enacted in 1977 and revised in 1988, prohibits payments to non-U.S. officials for the purpose of obtaining business, and mandates that books and records be maintained to reasonably assure that no such payments are made. The act applies to U.S. citizens or residents and any organization that has a class of securities registered or that is required to file reports under the U.S. Securities and Exchange Act. In particular, the FCPA addresses two fundamental areas:

The anti-bribery provision makes it unlawful to make corrupt payments to a foreign official for the purpose of obtaining or retaining business or for directing business.

The books and records provision requires companies that file reports with the SEC to keep books and records that fairly and accurately reflect business transactions and maintain an adequate system of internal accounting controls.

Corporate interest in the FCPA has exploded in recent years given the DOJ‘s greater emphasis on the legislation. However, many internal auditors and executive managers are still unaware of the repercussions noncompliance with this important legislation could have on the organization. ―The challenge for the internal audit profession is that most internal auditors were not around in 1977 when the act first came out,‖ says Larry Harrington, CIA, vice president of internal audit for defense technology contractor Raytheon Co. based in Waltham, Mass. ―However, the DOJ‘s and SEC‘s increasing level of attention to the FCPA during the past couple of years has created more corporate awareness and, consequently, training opportunities for internal auditors and companies in general.‖

The FCPA and Federal Sentencing Guidelines During the mid-1980s, the U.S. Sentencing Commission created the Federal Sentencing Guidelines for Organizations. “The guidelines were enacted to provide guidance and a level of consistency for federal judges in imposing penalties on individuals and corporations found guilty of violating federal criminal laws including the FCPA,” explains Gary Fair, vice president of corporate internal audit for New Jersey-based Johnson & Johnson. “The guidelines outline aggravating and mitigating factors for the court to consider in setting the appropriate punishment for an FCPA violation. These factors, in turn, can provide guidance in establishing and assessing FCPA compliance programs.” In particular, the Federal Sentencing Guidelines require federal courts handing down criminal sanctions to take into account the implementation of an effective corporate compliance program. Therefore, if an organization has a robust FCPA compliance program that follows the Federal Sentencing Guidelines’ recommendations and there is a noncompliance problem, the DOJ might show leniency when deciding the amount of fines to be paid. However, if the organization is in noncompliance with the FCPA and does not follow the Federal Sentencing Guidelines, then the fine may be up to twice the benefit that the organization or defendant sought to obtain by making the corrupt payment. For instance, in previous FCPA compliance cases, the presence of an effective compliance program has significantly reduced settlements by as much as 95 percent. “The Federal Sentencing Guidelines set forth harsh penalties for corporations whose employees violate federal criminal law such as the FCPA,” adds Cindi Hook, vice president of global audit and transformation for Texas-based Dell Inc. “As with any compliance program, it is prudent for organizations to build FCPA compliance programs that incorporate all the effective elements established by the Federal Sentencing Guidelines into their ethics and compliance programs.”

6

According to Harrington, the increased government oversight on FCPA compliance efforts also is having a profound impact on organizations across the United States. During the first 25 years after the act‘s enactment, there were 17 enforcement actions compared to 40 in 2008 and 120 in 2009 — a 200 percent increase in the number of fines given within a 12-month period alone. In addition, corporate officers are serving jail time for up to five years, and organizations can pay up to US $25 million for accounting books and records violations and US $2 million in fines involving bribes. Cindi Hook, vice president of global audit and transformation for Texas-based Dell Inc., agrees with Harrington. As Hook explains, although internal auditors have historically audited for FCPA compliance since enactment of the law in 1977, recently internal auditors have enhanced their FCPA audit programs given the increasing reliance of U.S.-based organizations on foreign operations and the harsher penalties for noncompliance. A prime example of these tougher penalties is the recent US $185 million deal automaker Daimler has agreed to pay in fines as a direct result of the organization‘s lack of enforcement with its code of integrity, which included anti-bribery provisions.

4

―This increase in enforcement actions and fines clearly shows that the FCPA is a top issue for the DOJ, and should be a top priority for any organization performing business outside the United States,‖ says Harrington. ―Although it is hard to get the necessary evidence to prosecute individuals and organizations that engage in bribes and illegal payments, DOJ is using books and records to prosecute companies as these are hard to cover up.‖ Compliance with anti-corruption laws and regulations extends outside the United States as well. Europe and other parts of the world have similar legislation to the FCPA. Anti-corruption legislation in Europe, for instance, doesn‘t allow facilitation payments and the ramifications of noncompliance are more profound. Germany is also the most active enforcer behind the United States. Consequently, Harrington expects that FCPA compliance mandates will be tightened even more within the next couple of years.

4 The Associated Press, ―Daimler Bribes: A Blown Chance to Clean Up Its Act‖ (April 1, 2010),

www.google.com/hostednews/ap/article/ALeqM5hgUeBg0DEtawEb6oOAZK4JdQ1Q_gD9EQ9RSG0

7

Recommendations for Effective FCPA Internal Audits According to Carole Switzer, president of OCEG, a nonprofit organization that offers governance, risk, and compliance guidance, FCPA compliance programs should be no different than other compliance initiatives. ―Overall, organizations need to have clearly documented policies and procedures, technical controls, and training,‖ Switzer says. ―Part of the problem we see in many organizations is the lack of a coherent and organized structure around compliance with a particular requirement. However, in a well-organized company the anti-corruption program is also well-run.‖ To help organizations enhance their compliance activities, internal auditors need to be a part of the compliance program during the beginning stages. This helps to make sure controls are properly designed, well established, and documented. In addition, internal auditors can recommend that the organization applies OCEG‘s GRC Capability Model. Also known as the OCEG Red Book, the model enables organizations to go through the different steps that can help them mature their approach to anti-corruption so that it achieves transparency. Once implemented, internal auditors can then evaluate its effectiveness in preventing and detecting fraudulent behavior. The organization also may obtain OCEG certification of the design and implementation of the anti-corruption program, thus demonstrating it follows Red Book practices for an effective and high-performing program. In addition to helping organizations enhance FCPA compliance efforts, CAEs need to be cognizant of the differences between traditional financial reporting activities and FCPA reviews. For instance, unlike traditional financial reporting, the FCPA does not have a materiality threshold. Therefore, corporate FCPA guidelines and internal audit programs should be different from compliance programs aimed at ensuring the accuracy of financial reporting. ―Given the specificity of FCPA reviews, we have found that it is better to separate these reviews from our financial controls and compliance audits,‖ explains Gary Fair, vice president of corporate internal audit for New Jersey-based Johnson & Johnson. ―Still, since both types of audits have books and records components, there is a communication link between the work done to review controls over the accuracy of financial reporting and FCPA audits that look into anti-corruption processes.‖ In addition, as Fair continues, keeping financial controls reviews and FCPA audits separate should not absolve financial auditors from the responsibility of being cognizant of FCPA issues and for escalating any issues that require more investigation.

Recommendations for Internal Audit Activities To ensure internal auditors are adding value to their organization’s FCPA compliance efforts, CAEs should:

Ensure the internal audit activity is part of the compliance program during the beginning stages to make sure controls are properly designed, well established, and documented.

Recommend that the organization applies OCEG’s GRC Capability Model, which can help organizations mature their approach to anti-corruption.

Coordinate financial reporting control reviews and FCPA audits that look into anti-corruption processes, if these are separate activities.

Perform a risk assessment that identifies FCPA compliance risks.

Incorporate FCPA screening as part of planned compliance audits.

Determine if the organization is providing training and education to employees dealing with FCPA compliance. This includes mandatory training sessions for all internal auditors.

Perform testing procedures as a scope area in internal audit engagements to confirm whether fraud controls and processes are working as intended or whether vulnerabilities exist.

8

Besides the recommendations above, interviewees discussed four practices that have served to enhance their organization‘s FCPA compliance efforts. These are the performance of risks assessments that identify risks around FCPA compliance, FCPA screenings, mandatory FCPA training for all internal auditors, and testing. Risk assessment. To ensure internal audit plans specifically address FCPA issues, CAEs need to ensure that the annual risk assessment incorporates risks around FCPA compliance. However, unlike the typical low, medium, and high risk assessment methodology, once an organization conducts foreign sales, noncompliance risks will always be high regardless of the total sales revenue collected. Other items that can be included in the risk assessment are reviews of expense reports and payments to government officials and audits on the effectiveness of established internal controls pertaining to books and records. (Read ―Assessing FCPA Risk‖ for more recommendations.) FCPA screenings. An FCPA screening is a tool that can help internal auditors identify when FCPA issues may occur during the normal course of business operations. Hook recommends that internal auditors incorporate FCPA screenings as part of compliance audits. ―Planned engagements should be evaluated as to whether FCPA screenings should be included in the scope,‖ she states. ―Key indicators include newly established business operations outside of the United States, increased business in countries with developing economies, and the use of third parties in transactions with non-U.S. government officials.‖ To increase the screening‘s effectiveness, internal auditors should apply manual and automated methods to search for potential FCPA violations and evaluate the design and operating effectiveness of detection, prevention, and monitoring controls aimed at FCPA compliance. In addition, auditors should examine all components of the FCPA compliance program, including:

Assessing FCPA Risk In “Prescription for FCPA Compliance” author Matt Birk, partner from Deloitte Financial Advisory Services LLP, writes that risk assessments often start with an evaluation of policies and procedures; an analysis of risk factors; the brainstorming of potential violation schemes; and an assessment of the likelihood, significance, and pervasiveness of FCPA risks. For more detailed analysis, however, internal auditors and other compliance and legal staff can consider the following qualitative and quantitative risk factors:

The history of industry and company FCPA violations.

The company’s geographic location and its corruption rating from Transparency International.

The country’s anti-corruption enforcement level and ongoing investigations or schemes.

Business unit susceptibility to FCPA violations related to the use of third parties.

Employee, vendor, and agent knowledge of the FCPA rules and FCPA policies within the organization.

Findings from previous transaction testing, audits, surveys, and hotlines.

Previous internal control deficiencies.

Recent business unit changes in management or business composition.

International business unit revenues.

The dollar amount and percentage of government business.

The number and dollar amount of accounts payable transactions.

Payments to third parties including sales agents and commercial agents.

Payments for professional services and discretionary, noninventory spending.

Growth rates.

Budget to actual variances.

Nature of time and expense reporting. Source: Internal Auditor, ―Prescription for FCPA Compliance‖ (February 2010), pp. 53–57)

9

Gift and travel policies.

Cash management and disbursement policies.

Incident reporting and investigation procedures.

FCPA awareness and education.

Third-party oversight. FCPA internal audit training. ―The FCPA has forced internal auditors to consider elements that were not previously considered within the normal realm of a financial audit,‖ says Fair. ―In fact, due to the exposure and criticality of the FCPA, there‘s been a need for more training for internal auditors and the hiring of experienced auditors to conduct FCPA audits.‖ As a result, CAEs need to determine whether the organization is providing the necessary training and education to employees dealing with FCPA compliance issues to ensure they fully understand what is required of them and are executing their work appropriately. Fair has instituted mandatory FCPA training for all internal auditors. Training is given to all new employees at the time of hire and at least annually. The sessions are taped and placed on Johnson & Johnson‘s Web site and are available to all employees 24 hours a day, seven days a week. Furthermore, the company‘s FCPA auditors are required to complete internal and external training that is even more extensive. Other practices internal audit activities can undertake to maximize the organization‘s FCPA compliance program include:

Assessing management‘s FCPA knowledge and compliance activities.

Testing policies and procedures for awareness and effectiveness.

Accumulating automated controls and proactive data anomaly detection tools.

Selecting samples of high-risk transactions for further analysis.

Testing transactions to determine whether FCPA controls are working as intended.

Reporting findings to compliance officers, audit committees, and legal counsel.

Driving policy and procedural change using identified risks and gaps.

Training foreign employees.

Sharing with employees lessons learned from prior FCPA matters. Testing. Once internal auditors have determined FCPA is an area of concern for the organization, internal audit plans must incorporate testing procedures to confirm whether fraud controls and processes are working as intended or whether vulnerabilities exist. ―Internal auditors can add FCPA requirement testing as a scope area in their engagements,‖ says Hook. ―Auditors can test specific red flags and help perform ethics investigations regarding potential FCPA violations.‖ According to Matt Birk, partner in Deloitte Financial Advisory Services LLP,

5 testing often involves

an analysis of several areas for high-risk transactions or lack of controls including:

General ledger accounts such as fines, penalties, licenses, permits, travel expenses, employee bonuses, entertainment, marketing, commissions, education, and gifts to charitable and political organizations.

Accounts payable data for high-risk transactions, such as commission payments and professional services fees.

Accounts receivable data for US $0 invoices or credits to customers.

Anti-bribery provisions in agreements with agents.

5 Internal Auditor, ―Prescription for FCPA Compliance‖ (February 2010), pp. 53–57

10

Activities and payments related to sales to government customers.

Purchases from partially or wholly government-owned entities.

Payments to government entities for goods, services, and other regulatory matters such as fines, penalties, licenses, and permits.

Employee expense reports.

Bank statement reconciliations and details.

Petty cash activities. To maximize testing, internal audit activities can employ the use of technology. For instance, electronic data anomaly filters and customized queries can assist internal auditors interrogate databases and quickly identify potential high-risk transactions. Automated monitoring and detection controls can help spot red flags, such as overspending on entertainment and gifts to government officials, while online risk surveys can help internal auditors obtain qualitative information to confirm interview leads and identify new investigation avenues. Finally, key word searches can help identify potential FCPA violations by revealing potential red flags such as invoices that have been paid twice, requests for questionable payments by agents or business partners, and round-dollar payments. Key word searches can be applied to financial databases, general files, or employee e-mails.

11

Recommendations for Organizational Compliance Many types of controls come into play to ensure the effectiveness of an organization‘s anti-corruption program and, consequently, FCPA compliance efforts. As Switzer explains, first the organization needs to have clear policies that identify corrupt practices. Many of the policies go above and beyond FCPA compliance and include documented procedures that support these policies. Second, organizations need to think about the human capital controls that can be put into place. One of the most important controls, as stated earlier, is effective training. ―There are many modes and methods of training,‖ says Switzer. ―The DOJ takes the view that anti-corruption training should be provided to individuals based on their level and responsibility as part of the anti-corruption program. However, all employees and stakeholders who are in situations that provide opportunity to engage in or facilitate a corrupt activity should receive training designed to address their specific roles.‖ Training also needs to go beyond an understanding of what is considered a corrupt practice. Many employees are placed in situations where someone in power tells them to do something that is unethical or illegal. Consequently, employees need to be trained in how to respond to and manage through these difficult situations. This often requires them to know how to manage communication to ensure compliance rather than simply understanding what the law says. In addition to implementation of a staff training program, HG.org, a Web site that provides legal directories and information, recommends that organizations implement the following steps:

Draft a written policy on FCPA compliance and distribute the policy to all employees, including those located in overseas offices. The FCPA policy should be carefully written to reflect the actual business and operations of the organization and should be updated regularly to reflect new developments in the United States and rapidly evolving changes in anti-bribery laws around the world.

Implement the FCPA policy by putting in place comprehensive monitoring and reporting procedures that reflect the company‘s business and operations. Procedures to consider including in the FCPA policy are:

o Establishing an executive-level FCPA review committee to manage and review issues as they arise.

o Designating an FCPA compliance officer or ombudsman to whom FCPA referrals may be made by employees on a confidential basis.

o Developing screening methods and checklists to identify when FCPA issues may occur during normal business operations.

o Crafting questionnaires for use internally and with third-parties.

Recommendations for Organizationwide Compliance Initiatives

In addition to having the right tone at the top in support for the organization’s FCPA compliance efforts, at a minimum, FCPA compliance programs should have the following elements:

Clearly written policies and procedures that state what can and cannot be done in terms of corruption.

Human capital controls, including employee training.

Detective, preventive, and monitoring controls aimed at FCPA compliance, which are integrated into each department within the organization.

Monitoring and reporting procedures, such as an executive-level FCPA review committee, an FCPA compliance officer or ombudsman, screening methods and checklists to identify when FCPA issues may occur, and questionnaires for use internally and with third-parties.

12

o Writing appropriate contract language for inclusion in all agreements that may give rise to FCPA concerns.

Act swiftly if FCPA allegations and violations are received. In the event actual violations have occurred, the company should have in place standard disciplinary procedures that apply to all employees who violate the FCPA policy. The company also should assess whether its policies and procedures need to be modified and its internal enforcement strengthened. In appropriate cases, the company should consider voluntary disclosure of FCPA violations to the federal government to mitigate its exposure to enforcement action.

Review FCPA matters regularly. The company‘s FCPA review committee or compliance officer should report regularly to the company‘s board of directors any policy violations, enforcement measures, and disciplinary actions. The board should periodically evaluate the effectiveness of the FCPA policy and procedures.

Ensuring the organization has the right tone at the top is also essential to the success of the organization‘s FCPA compliance efforts. As the recent Daimler example illustrates, one of the reasons behind‘s Daimler lack of compliance with the FCPA was due to management‘s resistance to the code of integrity‘s anti-bribery provisions. ―At an organizational level, there should be a strong control environment, including the right tone at the top,‖ says Hook. ―There should be no tolerance for unethical behavior and a strong tone of ethical integrity at the senior management level.‖ As Hook continues to explain, executive management must be committed to the notion that acting legally and ethically is just as important to the organization as being profitable, and operate under the mindset that business will be won based on the merit and integrity of the organization‘s products, services, and stakeholders. Detective, preventive, and monitoring controls aimed at FCPA compliance also should be integrated into each department within the organization. Finally, CAEs can recommend that the organization follows the seven elements of an effective ethics and compliance program (PDF, 243 KB). Johnson & Johnson‘s FCPA compliance initiative follows the seven elements, which include written FCPA policies and procedures and compliance testing by local or regional teams and internal auditors. (For more information on the seven elements, read ―Effective Ethics and Compliance Program Elements‖ at the end of this page.)

Effective Ethics and Compliance Program Elements According to Nick Ciancio, chief compliance officer for ethics and compliance solutions service provider Global Compliance, the following seven elements should be included in any ethics and compliance program to maximize its effectiveness: 1. Standards and procedures, such as the organization’s code of conduct, which outline expected behaviors

from all employees. 2. Oversight including the presence of a strong leader. 3. Education and training. 4. Auditing and monitoring of internal systems and verifying their compliance with the FCPA. 5. A reporting mechanism for employees to voice allegations or concerns without fear of retribution. 6. Consistent enforcement of standards and procedures via appropriate disciplinary actions. 7. Response and prevention actions once an allegation is made or an occurrence of unethical behavior

is reported. For more recommendations on how to implement an effective ethics and compliance program, read The IIA’s Implementing an Effective Ethics and Compliance Hotline (PDF, 1.3 MB).

13

Recommendations for Audit Committees As part of their work, CAEs need to inform the audit committee if there are any issues that could deter the organization from achieving compliance with any legislation. Similarly, audit committees play a vital role helping to ensure the organization‘s internal controls properly reflect its risk portfolio. Consequently, CAEs can help educate audit committee members about the FCPA and its impact on the organization, the organization‘s responsibility toward FCPA compliance, and the different elements needed to maximize the compliance program‘s effectiveness. ―Audit committees have a risk oversight responsibility and are in constant communication with the internal audit, accounting, external audit, legal, and ethics and compliance teams,‖ says Hook. ―As a result, they can ensure there is a well-established and effective FCPA compliance program in place by reviewing planned program priorities and results.‖ According to the American Institute of Certified Public Accountants (AICPA),

6 the

audit committee should inquire:

The CEO and CFO about the FCPA compliance program as to whether the organization‘s code of conduct and policies outline the steps needed to achieve FCPA compliance.

The CEO, CFO, legal counsel, and the CAE on the organization‘s plan should a violation occur and the process for disclosures and their timing.

Legal counsel and the CAE if they have access to expertise on FCPA issues.

The CAE on how FCPA testing is incorporated into an internal audit program and risk assessments.

6 AICPA’s ―Foreign Corrupt Practices Act — Primer and Tool for Audit Committees‖ (June 2008),

www.aicpa.org/download/audcommctr/Audit_Committee__FCPA.pdf (PDF, 150 KB)

Recommendations for Audit Committees on FCPA Compliance

The audit committee plays a pivotal role helping the organization assess the effectiveness of FCPA compliance efforts and ensuring risks are taken into consideration that could hinder its compliance with the legislation. Consequently the audit committee should:

Inquire the CEO and CFO about the FCPA compliance program, including the organization’s code of conduct and policies outlining the steps needed to achieve FCPA compliance.

Ask the CAE, CEO, CFO, and legal counsel on the organization’s plan should a violation occur and the process for disclosures and the timing for disclosures.

Determine if legal counsel and the CAE have access to expertise on FCPA issues, including the involvement of a third party that can provide recommendations to enhance the FCPA program’s effectiveness.

Assess whether FCPA testing is incorporated into an internal audit program and risk assessments.

Ask senior management to provide evidence on the existence of: o A complete and unified risk matrix that shows the

organization has thought through the processes or situations that could arise and lead to noncompliance with the act.

o A list specifying each process control owner. o A mechanism to monitor compliance with the anti-

corruption program. o Documentation of change management controls,

if needed.

Make sure there is a management process in place that moves things through in a timely fashion in the event that a fraudulent event is identified.

Ascertain whether the organization’s executive compensation policy clearly states how incentive-based pay will be determined and allocated.

Ensure FCPA compliance is included in the enterprise risk management (ERM) program, especially if the organization performs business transactions internationally.

14

Besides ensuring that the organization has formal, written anti-corruption policies and procedures, Switzer recommends that audit committees ask senior management to gain OCEG certification of the anti-corruption program and provide evidence on the existence of the following elements:

A complete and unified risk matrix that shows the organization has thought through the processes or situations that could lead to noncompliance with the FCPA.

A list specifying the owners for each process control.

A mechanism to monitor compliance with the anti-corruption program.

Documentation of change management controls, if needed. The audit committee also needs to make sure there is a management process in place that moves things through in a timely fashion in the event that a fraudulent event is identified. As part of this process, issues must be reported and resolved, including the reporting and resolution of the underlining cause. Similarly, the audit committee needs to make sure the organization has an established mechanism to deal with program violations even-handedly. As Switzer explains, this means there should be no selective enforcement of the anti-corruption program‘s compliance. Furthermore, the audit committee needs to make sure there is a clearly stated executive compensation policy that talks about incentive-based pay. ―Corruption arises when an individual has the personal motive and the right organizational incentives in place, which are often unintentional on the part of the organization,‖ comments Switzer. ―Therefore, the audit committee should ensure the compensation policy has removed any potential incentives for fraud.‖ Harrington recommends that audit committees ensure FCPA compliance is included as part of the ERM program, especially if the organization performs business transactions internationally. ―Transparency International publishes an annual Corruption Perceptions Index (CPI), which measures the perceived level of public-sector corruption in 180 countries and territories around the world,‖ adds Harrington. ―If an organization works in a country that ranks highly on this index, audit committees need to make sure the organization‘s ERM program makes FCPA compliance a high priority.‖ One way to go about ensuring FCPA is a high priority is by asking management to do presentations on the types of controls that the organization needs and has implemented surrounding FCPA compliance and what they are doing to ensure compliance. The internal audit activity then monitors management‘s performance in this area and tests the effectiveness of controls in ensuring compliance. ―Basically, it‘s a three-pronged approach consisting of the audit committee, management, and the internal audit activity to make sure the company is in compliance,‖ says Harrington.

Finally, the audit committee might recommend the involvement of a third party that can provide recommendations to enhance the FCPA program‘s effectiveness. Third-party service providers include law firms or a Big Four accounting firm with expertise in FCPA compliance.

15

Emerging FCPA Compliance Trends In March 2010, The IIA performed a survey to identify the state of compliance efforts with the FCPA among members of The IIA‘s Global Audit Information Network (GAIN).

7

A total of 1,802 survey invitations were sent of which 129 responses were obtained.

8 Of

these responses, 82 CAEs and internal audit directors and managers stated that their organization performs business transactions outside the United States. Following is a summary of the key survey findings obtained from the 82 respondents.

Key Survey Findings

FCPA compliance efforts are taking a more prominent role organizationwide. According to survey results, the majority of organizations performing business transactions outside the United States have implemented programs addressing FCPA compliance. Of the 88 percent of organizations with an FCPA compliance program:

46 percent have robust, formal programs (i.e., they include policies, procedures, monitoring, and training).

24 percent have informal programs that will be transitioned into a more formal program in the future.

18 percent have informal programs that include some of the elements featured in more robust, formal programs.

The presence of FCPA compliance programs goes hand-in-hand with the importance of the subject at an organizational level. As evident in the survey results, 71 percent of the 82 respondents stated that the level of attention the organization pays to FCPA compliance has increased over the past three years. The No. 1 reason for this increased level of attention is the organization‘s expansion or future expansion into international markets, followed by increased regulatory attention and enforcement, previous incidents leading to a heightened focus on FCPA compliance, and increased media coverage of noncompliance situations.

7 IIA Flash survey, ―The U.S. Foreign Corrupt Practices Act: Current Internal Audit and Compliance Practices‖ (March

2010), www.theiia.org/download.cfm?file=54479 8 Forty percent and 30 percent of survey participants work in internal audit activities consisting of 3–6 and 7–15

internal auditors, respectively; 50 percent work in organizations with annual revenues of US $1 billion or more; the top

five industries represented by participating organizations include manufacturing (26 percent), financial

services/banking/real estate (10 percent), insurance carriers/agents (9 percent), health services (6 percent), and

educational services and wholesale/retail (6 percent, each); finally 47 percent of respondents work in organizations

conducting business transactions in 1–10 countries, 23 percent work in organizations conducting business transactions

in 11–20 countries, 9 percent of participating organizations perform business transactions in 21–30 countries, and 21

percent perform business transactions in more than 30 countries.

Key Survey Results

The IIA performed a survey among GAIN members to obtain baseline information regarding compliance efforts with the Massachusetts Data Privacy Law. The survey identified the following four key findings:

Most responding organizations are in compliance with all law provisions.

Key internal audit roles pertain to the evaluation of the program’s compliance, testing of internal controls, and monitoring of compliance efforts.

Use of portable devices was identified as the number one information security risk.

Presence of clearly stated and enforced policies and procedures is the number one compliance practice among respondents.

16

Internal auditors are becoming key players in their organization’s FCPA compliance efforts. Internal audits of FCPA compliance activities are increasing, and a large number of internal auditors are providing much needed assistance by participating as key members of organizationwide FCPA compliance programs. More than half of the internal audit activities represented in the survey (61 percent) perform audits surrounding FCPA compliance that are incorporated into reviews of operating units or processes. In addition, the primary role of internal auditors is to provide support as needed or requested during investigations of FCPA violations. (Refer to Figures 1, 2, and 3 for a detailed summary of these responses.) Figure 1. Percent of Internal Audit Activities Performing FCPA Compliance Reviews (Note: Percentages are based on the 82 respondents working in organizations that perform business transactions outside the United States)

Figure 2. Internal Audit Efforts Pertaining to FCPA Compliance (Note: Percentages are based on the 61 percent of respondents stating they perform FCPA compliance reviews)

61%

39%

Yes

No

4%

14%

26%

28%

32%

70%

Other

A continuous monitoring program is conducted to assess FCPA compliance

An enterprisewide audit of the FCPA program is executed

Operating units or processes are audited for FCPA compliance if there is some indication of

FCPA compliance problems

Operating units or processes are subject to regular, separate audits for FCPA compliance

FCPA audits are incorporated into other internal audits of operating units or processes

17

Figure 3. Internal Audit Roles During Investigations of FCPA Violations (Note: Percentages are based on the 82 respondents working in organizations that perform business transactions outside the United States)

The survey also found a trend toward heightened internal audit focus among participants — 45 percent of survey participants stated that FCPA internal audit efforts have increased for 2010 since 2008 compared to 46 percent who stated audit efforts have stayed the same. In 65 percent of the organizations where internal audit efforts have increased, assurance and consulting activities have increased by up to 25 percent

9 and by 50 percent or more in 31 percent of the

organizations.10

Finally, board-level responsibility for FCPA efforts is executed mostly at the audit committee level,

11 which helps to further increase internal audit awareness on the subject and better

coordinate FCPA compliance activities organizationwide. As stated earlier, 70 percent of organizations incorporate FCPA audits into other internal audits of operating units or processes and in 77 percent of the organizations there is joint coordination between the internal audit activity and legal department on matters pertaining to FCPA compliance and testing. Training and coordination of compliance activities were identified as the top practices in ensuring compliance with the FCPA. Respondents were asked to identify leading organizational and internal audit practices pertaining to FCPA compliance. According to survey respondents, training was identified as the No. 1 organizational practice in ensuring compliance with the FCPA. Other organizational practices in order of importance include:

Internal audit processes and organizational controls that ensure compliance in addition to the organization‘s code of conduct or ethics.

Compliance audits and monitoring.

An annual compliance certification process with business conduct policies for all employees, stakeholders, and service providers affiliated with the organization.

9 This percentage represents 17 organizations. 10 This percentage represents 8 organizations. 11 60 percent of the 82 organizations assign board-level responsibility for FCPA efforts at the audit-committee level and

27 percent assign FCPA responsibility to the full board of directors.

2%

2%

6%

20%

25%

45%

Another area of the company is primarily responsible for investigations; internal auditing does not actively participate

in the investigations

Third parties are hired by internal auditing to conduct the investigations

Third parties are hired by the area responsible for FCPA to conduct investigations

Other

Internal auditing is primarily responsible for conducting or managing FCPA investigations

Another area of the company is primarily responsible for investigations; internal auditing participates with that area in investigations or providing support as needed or requested

18

Formal guidelines pertaining to the use of third-party service providers.

Proper tone at the top in support of FCPA compliance efforts and management involvement in anti-corruption activities.

A confidential reporting mechanism for compliance breaches.

Enforcement of clear penalties under the organization‘s code of conduct for noncompliance with FCPA policies and procedures.

In terms of internal audit practices, ensuring the joint coordination between the internal audit activity and legal department on matters pertaining to FCPA compliance and testing was identified as the No. 1 step necessary for achieving FCPA compliance success. Other steps, in order of importance, include executing a documented approach and methodology under the company‘s overarching FCPA policy; using third-party expertise to supplement resources, knowledge, and tools; and using data analytic tools to identify high-risk transactions. (Refer to Figure 4 for a summary of all results.) Furthermore, testing policies and procedures for awareness and effectiveness was identified as the No. 1 FCPA compliance responsibility for internal audit activities followed by reporting findings to compliance officers, audit committees, and legal counsel. The identification of these two elements is not surprising given the high value survey participants place on the coordination of FCPA testing and compliance activities between internal auditing and organizational functions. (Figure 5 gives a snapshot of internal audit responsibilities pertaining to FCPA compliance and Figure 6 provides a detailed list of all testing procedures used to confirm whether controls and processes over illegal payments are working as intended.) Figure 4. Steps Necessary to Achieve the Success of FCPA Internal Audit Programs (Note: Percentages are based on the 82 respondents working in organizations that perform business transactions outside the United States)

6%

22%

32%

29%

29%

31%

77%

We use dedicated and properly trained internal auditors to focus on FCPA compliance and audits; please specify the number of internal auditors dedicated to FCPA compliance

We perform regular, stand-alone FCPA assessments that are solely focused on foreign transactions

We perform FCPA-specific risk assessments for proactive location and scope selection

We use third-party expertise to supplement resources, knowledge, and tools

We use data analytic tools to identify high risk transactions

We execute the documented approach and methodology under the company’s overarching FCPA policy

There is joint coordination between the internal audit activity and legal department on matters pertaining to FCPA

compliance and testing

19

Figure 5. Internal Audit Responsibilities Pertaining to FCPA Compliance (Note: Percentages are based on the 82 respondents working in organizations that perform business transactions outside the United States)

Figure 6. Testing Procedures for Controls and Processes Over Illegal Payments (Note: Percentages are based on the 82 respondents working in organizations that perform business transactions outside the United States)

13%

23%

23%

26%

38%

38%

39%

44%

48%

52%

55%

68%

74%

Applying automated controls and proactive data anomaly detection tools

Training foreign employees

Sharing with employees lessons learned from prior FCPA matters

Testing employees for FCPA policies and requirements

Accumulating electronic data and conducting interviews

Driving policy and procedural change using identified risks and gaps

Obtaining or reviewing annual employee compliance declarations

Assessing management’s FCPA knowledge and compliance activities

Conducting broad FCPA risk assessments that identify potential high-risk areas based on analysis

Testing transactions to determine whether FCPA controls are working as intended

Selecting samples of high-risk transactions for further analysis

Reporting findings to compliance officers, audit committees, and legal counsel

Testing policies and procedures for awareness and effectiveness

24%

33%

37%

44%

45%

50%

52%

60%

63%

72%

Accounts receivable data for US $0 invoices or credits to customers

Purchases from partially or wholly government-owned entities

Bank statement reconciliations and details

Petty cash activities

Activities and payments related to sales to government customers

Anti-bribery provisions in agreements with agents

Selected general ledger accounts

Payments to government entities for goods, services, and other regulatory matters such as fines, penalties, licenses, and permits

Accounts payable data for high-risk transactions

Employee expense reports

20

Risks assessments are a key component of the organization’s FCPA compliance efforts. Risk assessments are a valuable tool in helping senior management and internal audit activities identify potential and existing areas that could expose an organization to compliance violations. The survey asked participants key questions regarding their use of risk assessments as part of the organization‘s FCPA compliance programs. Nearly three-fourths of survey respondents (74 percent) stated that the internal audit activity completes a risk assessment that identifies risks pertaining to FCPA compliance. The top five risk factors that are considered during the risk assessment process, in order of importance, include:

The company‘s geographic location and its corruption rating from Transparency International.

Business unit susceptibility to FCPA violations related to the use of third parties.

Previous internal control deficiencies and vulnerabilities.

Findings from previous transaction tests, audits, surveys, and hotlines.

The history of FCPA violations in the industry and company. (Figure 7 identifies each of the risk factors.) As is clearly evident, risk factors identified by survey participants are similar to the ones described earlier throughout the report. Figure 7. Risk Factors Considered During the Risk Assessment Process (Note: Percentages are based on the 82 respondents working in organizations that perform business transactions outside the United States)

12%

15%

18%

18%

20%

21%

26%

37%

38%

43%

48%

51%

55%

55%

56%

60%

65%

67%

Growth rates

Compensation standards for employees and executives

The number and dollar amount of accounts payable transactions

Budget to actual variances

The nature of time and expense reporting

Discretionary, noninventory spending

International business unit revenues

The country’s anti-corruption enforcement level and ongoing investigations

The dollar amount and percentage of government business activities

Payments for professional services

Recent business unit changes in management or business composition

Employee, vendor, and agent knowledge and awareness of FCPA rules

Payments to third parties including sales agents and commercial agents

The history of FCPA violations in the industry and company

Findings from previous transactions tests, audits, surveys, and hotlines

Previous internal control deficiencies and vulnerabilities

Business unit susceptibility to FCPA violations related to the use of third parties

The company’s location and corruption rating from Transparency International

21

Resources The following online resources can provide CAEs and internal auditors with more information on the FCPA:

Official FCPA Information

U.S. Department of Justice‘s FCPA Web page, www.justice.gov/criminal/fraud/fcpa/.

U.S. Federal Sentencing Commission‘s Federal Sentencing Guidelines Manual Web page, www.ussc.gov/guidelin.htm.

U.S. Department of Justice‘s Opinion Procedure Release 04-02, www.justice.gov/criminal/fraud/fcpa/opinion/2004/0402.pdf (PDF, 23.6 KB)

Online Articles and Other Resources

―5 Ways Your Audit Team Can Incorporate FCPA Screening Into an ‗Everyday‘ Audit,‖

www.amper.com/publications/fcpa-audit-screening.asp.

AICPA‘s ―Foreign Corrupt Practices Act — Primer and Tool for Audit Committees,‖

www.aicpa.org/download/audcommctr/Audit_Committee__FCPA.pdf (PDF, 150 KB).

FindLaw.com‘s FCPA Web page, http://library.findlaw.com/1997/Jan/1/126234.html.

Forbes.com‘s ―Investigating the FCPA,‖ www.forbes.com/2009/12/08/foreign-corrupt-

practices-act-opinions-contributors-michael-perlis-wrenn-chais.html.

http://findarticles.com/p/articles/mi_m4153/is_1_61/ai_n6152505/.

HG.org. ― Compliance with the Foreign Corrupt Practices Act in the Post-Sarbanes-Oxley

World,‖ www.hg.org/articles/article_235.html.

Internal Auditor, ―Prescription for FCPA Audits‖ (February 2010),

http://theiia.texterity.com/ia/201002#pg55.

IIA Flash survey, ―The U.S. Foreign Corrupt Practices Act: Current Internal Audit and

Compliance Practices‖ (March 2010), www.theiia.org/download.cfm?file=54479

Transparency International‘s 2009 Corruption Perception Index Web page,

www.transparency.org/policy_research/surveys_indices/cpi/2009.

WrageBlog.com, ―Role of Federal Sentencing Guidelines in FCPA Cases,‖

http://wrageblog.org/2009/09/29/role-of-federal-sentencing-guidelines-in-fcpa-cases/.