fcpa compliance: practical steps to establish and maintain control across the globe

Ask, Share, Learn – Within the Largest Community of Corporate Finance Professionals

FCPA Compliance: Practical Steps to Establish and

Maintain Control Across the Globe

Jeremy Clopton, Senior Managing Consultant, BKD, LLP

Phil Lim, Product Manager, ACL

•

•

•

http://www.proformative.com/

After participating in this event you will be able to:

• Understand how to identify and mitigate FCPA risk exposures at your

company

• Discover current and emerging trends in technology that allow pro-active

risk exposure management

• Understand how to continuously monitor company data for suspicious FCPA

activities

Ask, Share, Learn – Within the Largest Community of Corporate Finance Professionals

FCPA Compliance: Practical Steps to Establish and

Maintain Control Across the Globe

Jeremy Clopton, Senior Managing Consultant, BKD, LLP

Phil Lim, Product Manager, ACL

Jeremy Clopton,Senior

Managing Consultant,

BKD, LLP

@j313

Phil Lim, Product

Manager, ACL

$1.9+ Billion

• Total Penalties 2010-2013

• 20+ Organizations

Personal Liability

• Personal fines

• Incarceration

Reputational Damage

• Total Penalties 2010-2013

• 20+ Organizations

• Personal fines

• Incarceration

$398 Million

Total S.A.

2013

$95 Million

Magyar Telecom

2011

$70 Million

Johnson & Johnson

2011

$45 Million

Pfizer

2012$29 Million

Eli Lily 2012

The Scenario

The Bribe

What’s the issue?

• You are part of an organization that manufactures and sells trains.

• Government of Meydupistan needs to purchase new trains for its national railroad.

• Budget of ~$100 Million.

The Scenario

The Bribe

What’s the issue?

•To obtain the business, government minister in charge is told:

•$100K will be directed to his “favorite charity”

The Scenario

The Bribe

What’s the issue?

•$100K went from the people of Meydupistan to the Minister’s pocket.

•Not fair for competition:•What if a competitor had better trains for less?

The Need

• FCPA violation = need for compliance plan

• 8 countries of interest

• Multiple accounting systems

The Solution

• Monthly compliance monitoring:

• Dashboard for management review (8 – 10 analytics in one page)

• Accompanying details for compliance and internal audit review

• Increase in effectiveness and efficiency in testing

The Need

• FCPA violation = need for compliance plan

• Lots of Joint Ventures/Acquisitions in worldwide markets

The Solution

• Step 1: Assessment of control environment (Internal Audit)

• Step 2: Implement continuous monitoring data analytics

• Step 3: Follow-up and report on findings and management remediation

• Step 4: Repeat

Financial reporting controls are not bribery controls.

More application system controls can be ineffective.

One-off initiatives are not sustainable.

Stakeholders (internal and external) need visibility.





•One time donation to a foreign

official’s favourite charity? Not

an issue for SOX, but for

FCPA…

•What do we need to test for?





•Implementing further

application system controls can

lead to inflexibility, rejection, and

ultimately, workarounds.

•How do we maintain business

agility while addressing the

issue?





•One-off initiatives to produce a

“report” don’t affect culture nor

promote transparency.

•How do we ensure lasting impact

of our mitigation efforts?





•How does the executive team

keep informed about ongoing

bribery and corruption risk?

•What about demonstrating to

authorities that an effective

program is in place?

Self-Assessment

• Internal Control Reviews

• Policy Reviews

• Ad-hoc Analysis and Sampling

Continuous Monitoring

•Timely Alerts of Suspicious Activities

•Exception Management Workflow

•Maintain Business Agility

Executive Visibility

• Dashboard for Senior Leadership to action

• External Stakeholders

Conduct Internal Control Reviews

Distribute and Track Deliverables

Who should perform the Assessment?

• Anti-Bribery Policies / Employee Education / Reporting hotlines

• Document sources of revenue (party planning?)

• Business Partner/Joint Venture/Third party due diligence




• Management Recommendations

• Control Deficiencies




• External assurance firm?

• Internal audit team/compliance team?

• Can better follow-up with findings, know the business

Implement Detective Controls

Where to Apply Bribery Analytics

Define the Remediation Workflow

• Incorporate analytics to increase effectiveness

• Maintain Business Agility

• Create a common data model to deal with disparate systems




• Where to apply data analytics

• Multiple business processes –Vendor Management, P2P, GL, Payroll, TNE




• Document follow-up and remediation

• Identify trend of control effectiveness

• Further refine analytic logic and parameters, and processes

•

–

–

•

–

–

–

• Area: TNE

Fictitious Merchants

• A fictitious merchant is set up to channel funds to an unauthorized third party.

Risk

• Management should be notified when a merchant is used by very few individuals but whose average transaction size is large.

• Management should review and remediate exceptions on a timely basis.

Control

• Area: TNE




• Area: TNE

Manual Postings to System Accounts


Risk



Control

• Area: GL

• A manual journal entry is posted to a system account to hide a transaction to an unauthorized third party

• Management should be notified of manual journal entries to GL accounts typically reserved for application system use.


• Area: TNE

New Vendor Monitoring


Risk



Control

• Area: P2P

• Vendors without a previous relationship with the organization may be used to channel funds to an unauthorized third party.

• Management should be notified when there are new vendors with significant transaction values.

• Management should review and remediate identified transactions on a timely basis.

• Area: TNE

Non-Vendor Cash Payments


Risk



Control

• Area: P2P, GL

• Cash payments not recorded in the accounts payable detail are not linked to a vendor and may not contain sufficient detail to analyze propriety of payment.

• Management should be notified when a payment is made through any system other than accounts payable.


• Area: TNE

Invoices without Descriptions


Risk



Control

• Area: P2P

• Improper payments, and improper recording of these payments, through the accounts payable system by entering invoices without proper descriptions.

• Management should be notified when payments are made on invoices without an description.


• Area: TNE

Sales Adjustments or Write-offs to Customers


Risk



Control

• Area: O2C

• Adjustments or write-offs may be manipulated in a kick-back or bribery scheme.

• Management should be notified of repetitive, significant adjustments and write-offs to the same customer.


• Area: TNE

Payroll Employees without Deductions


Risk



Control

• Area: Payroll

• Phantom employees may be used to channel funds to an inappropriate third party.

• Management should be notified of any payroll transactions without appropriate deductions.


•

•

–

•

–

•

•

http://www.acl.com/

http://www.bkd.com/services/investigation-public-corruption-response.htm







mailto:[email protected]

http://www.proformative.com/

fcpa compliance: practical steps to establish and maintain control across the globe

Business

senior managing consultant

senior level corporate

product manager

fcpa risk exposures

llpphil lim

globejeremy clopton

moral issue6the moral

case studies10fcpa needles