fcpa compliance: practical steps to establish and maintain control across the globe
TRANSCRIPT
Ask, Share, Learn – Within the Largest Community of Corporate Finance Professionals
FCPA Compliance: Practical Steps to Establish and
Maintain Control Across the Globe
Jeremy Clopton, Senior Managing Consultant, BKD, LLP
Phil Lim, Product Manager, ACL
After participating in this event you will be able to:
• Understand how to identify and mitigate FCPA risk exposures at your
company
• Discover current and emerging trends in technology that allow pro-active
risk exposure management
• Understand how to continuously monitor company data for suspicious FCPA
activities
Ask, Share, Learn – Within the Largest Community of Corporate Finance Professionals
FCPA Compliance: Practical Steps to Establish and
Maintain Control Across the Globe
Jeremy Clopton, Senior Managing Consultant, BKD, LLP
Phil Lim, Product Manager, ACL
Jeremy Clopton,Senior
Managing Consultant,
BKD, LLP
@j313
Phil Lim, Product
Manager, ACL
$1.9+ Billion
• Total Penalties 2010-2013
• 20+ Organizations
Personal Liability
• Personal fines
• Incarceration
Reputational Damage
• Total Penalties 2010-2013
• 20+ Organizations
• Personal fines
• Incarceration
$398 Million
Total S.A.
2013
$95 Million
Magyar Telecom
2011
$70 Million
Johnson & Johnson
2011
$45 Million
Pfizer
2012$29 Million
Eli Lily 2012
The Scenario
The Bribe
What’s the issue?
• You are part of an organization that manufactures and sells trains.
• Government of Meydupistan needs to purchase new trains for its national railroad.
• Budget of ~$100 Million.
The Scenario
The Bribe
What’s the issue?
•To obtain the business, government minister in charge is told:
•$100K will be directed to his “favorite charity”
The Scenario
The Bribe
What’s the issue?
•$100K went from the people of Meydupistan to the Minister’s pocket.
•Not fair for competition:•What if a competitor had better trains for less?
The Need
• FCPA violation = need for compliance plan
• 8 countries of interest
• Multiple accounting systems
The Solution
• Monthly compliance monitoring:
• Dashboard for management review (8 – 10 analytics in one page)
• Accompanying details for compliance and internal audit review
• Increase in effectiveness and efficiency in testing
The Need
• FCPA violation = need for compliance plan
• Lots of Joint Ventures/Acquisitions in worldwide markets
The Solution
• Step 1: Assessment of control environment (Internal Audit)
• Step 2: Implement continuous monitoring data analytics
• Step 3: Follow-up and report on findings and management remediation
• Step 4: Repeat
Financial reporting controls are not bribery controls.
More application system controls can be ineffective.
One-off initiatives are not sustainable.
Stakeholders (internal and external) need visibility.
Financial reporting controls are not bribery controls.
More application system controls can be ineffective.
One-off initiatives are not sustainable.
Stakeholders (internal and external) need visibility.
•One time donation to a foreign
official’s favourite charity? Not
an issue for SOX, but for
FCPA…
•What do we need to test for?
Financial reporting controls are not bribery controls.
More application system controls can be ineffective.
One-off initiatives are not sustainable.
Stakeholders (internal and external) need visibility.
•Implementing further
application system controls can
lead to inflexibility, rejection, and
ultimately, workarounds.
•How do we maintain business
agility while addressing the
issue?
Financial reporting controls are not bribery controls.
More application system controls can be ineffective.
One-off initiatives are not sustainable.
Stakeholders (internal and external) need visibility.
•One-off initiatives to produce a
“report” don’t affect culture nor
promote transparency.
•How do we ensure lasting impact
of our mitigation efforts?
Financial reporting controls are not bribery controls.
More application system controls can be ineffective.
One-off initiatives are not sustainable.
Stakeholders (internal and external) need visibility.
•How does the executive team
keep informed about ongoing
bribery and corruption risk?
•What about demonstrating to
authorities that an effective
program is in place?
Self-Assessment
• Internal Control Reviews
• Policy Reviews
• Ad-hoc Analysis and Sampling
Continuous Monitoring
•Timely Alerts of Suspicious Activities
•Exception Management Workflow
•Maintain Business Agility
Executive Visibility
• Dashboard for Senior Leadership to action
• External Stakeholders
Conduct Internal Control Reviews
Distribute and Track Deliverables
Who should perform the Assessment?
• Anti-Bribery Policies / Employee Education / Reporting hotlines
• Document sources of revenue (party planning?)
• Business Partner/Joint Venture/Third party due diligence
Conduct Internal Control Reviews
Distribute and Track Deliverables
Who should perform the Assessment?
• Management Recommendations
• Control Deficiencies
Conduct Internal Control Reviews
Distribute and Track Deliverables
Who should perform the Assessment?
• External assurance firm?
• Internal audit team/compliance team?
• Can better follow-up with findings, know the business
Implement Detective Controls
Where to Apply Bribery Analytics
Define the Remediation Workflow
• Incorporate analytics to increase effectiveness
• Maintain Business Agility
• Create a common data model to deal with disparate systems
Implement Detective Controls
Where to Apply Bribery Analytics
Define the Remediation Workflow
• Where to apply data analytics
• Multiple business processes –Vendor Management, P2P, GL, Payroll, TNE
Implement Detective Controls
Where to Apply Bribery Analytics
Define the Remediation Workflow
• Document follow-up and remediation
• Identify trend of control effectiveness
• Further refine analytic logic and parameters, and processes
•
–
–
•
–
–
–
• Area: TNE
Fictitious Merchants
• A fictitious merchant is set up to channel funds to an unauthorized third party.
Risk
• Management should be notified when a merchant is used by very few individuals but whose average transaction size is large.
• Management should review and remediate exceptions on a timely basis.
Control
• Area: TNE
• A fictitious merchant is set up to channel funds to an unauthorized third party.
• Management should be notified when a merchant is used by very few individuals but whose average transaction size is large.
• Management should review and remediate exceptions on a timely basis.
• Area: TNE
Manual Postings to System Accounts
• A fictitious merchant is set up to channel funds to an unauthorized third party.
Risk
• Management should be notified when a merchant is used by very few individuals but whose average transaction size is large.
• Management should review and remediate exceptions on a timely basis.
Control
• Area: GL
• A manual journal entry is posted to a system account to hide a transaction to an unauthorized third party
• Management should be notified of manual journal entries to GL accounts typically reserved for application system use.
• Management should review and remediate exceptions on a timely basis.
• Area: TNE
New Vendor Monitoring
• A fictitious merchant is set up to channel funds to an unauthorized third party.
Risk
• Management should be notified when a merchant is used by very few individuals but whose average transaction size is large.
• Management should review and remediate exceptions on a timely basis.
Control
• Area: P2P
• Vendors without a previous relationship with the organization may be used to channel funds to an unauthorized third party.
• Management should be notified when there are new vendors with significant transaction values.
• Management should review and remediate identified transactions on a timely basis.
• Area: TNE
Non-Vendor Cash Payments
• A fictitious merchant is set up to channel funds to an unauthorized third party.
Risk
• Management should be notified when a merchant is used by very few individuals but whose average transaction size is large.
• Management should review and remediate exceptions on a timely basis.
Control
• Area: P2P, GL
• Cash payments not recorded in the accounts payable detail are not linked to a vendor and may not contain sufficient detail to analyze propriety of payment.
• Management should be notified when a payment is made through any system other than accounts payable.
• Management should review and remediate identified transactions on a timely basis.
• Area: TNE
Invoices without Descriptions
• A fictitious merchant is set up to channel funds to an unauthorized third party.
Risk
• Management should be notified when a merchant is used by very few individuals but whose average transaction size is large.
• Management should review and remediate exceptions on a timely basis.
Control
• Area: P2P
• Improper payments, and improper recording of these payments, through the accounts payable system by entering invoices without proper descriptions.
• Management should be notified when payments are made on invoices without an description.
• Management should review and remediate identified transactions on a timely basis.
• Area: TNE
Sales Adjustments or Write-offs to Customers
• A fictitious merchant is set up to channel funds to an unauthorized third party.
Risk
• Management should be notified when a merchant is used by very few individuals but whose average transaction size is large.
• Management should review and remediate exceptions on a timely basis.
Control
• Area: O2C
• Adjustments or write-offs may be manipulated in a kick-back or bribery scheme.
• Management should be notified of repetitive, significant adjustments and write-offs to the same customer.
• Management should review and remediate exceptions on a timely basis.
• Area: TNE
Payroll Employees without Deductions
• A fictitious merchant is set up to channel funds to an unauthorized third party.
Risk
• Management should be notified when a merchant is used by very few individuals but whose average transaction size is large.
• Management should review and remediate exceptions on a timely basis.
Control
• Area: Payroll
• Phantom employees may be used to channel funds to an inappropriate third party.
• Management should be notified of any payroll transactions without appropriate deductions.
• Management should review and remediate exceptions on a timely basis.
•
•
–
•
–
•
•