FCPA 10 Hallmarks Self- Assessment

Transcription

1 FCPA 10 Hallmarks Self- Assessment How exposed is your business to corruption risk? Take this assessment to find out if your systems are sufficiently robust to protect your business October 2014 Prepared by Compliance Experts

2 FCPA VULNERABILITY ASSESSMENT REF QUESTION YES NO N/A COMMENT 1. Commitment from Senior Management and a Clearly Articulated Policy Against Corruption 1.01 Has the organization documented a clear and concise anti-corruption compliance policy? 1.02 Does the policy take into account the nature of the business, having regard to: a) Products b) Services c) Locations d) Operations e) Transactions 1.03 Does the policy indicate a commitment to continual improvement in anti-corruption compliance, and prevention of corrupt transactions? 1.04 Does the policy commit the organization to comply with the FCPA and other anti-corruption laws in all areas in which it operates? 1.05 Does the policy commit to and provide an overall framework for setting improvement objectives and targets by specifying broad organizational goals? 1.06 Does the policy mandate the commitment of every person in the organization to comply with its requirements? 1.07 Has the organization's anti-corruption policy been authorized by top management? 1.08 Has the policy been communicated to all employees and all business functions? 1.09 Has the policy been communicated to all business partners with whom the organization deals, including: a) Customers b) Third party agents c) Contractors/sub contractors d) Government officials 1.10 Is the policy available to interested parties? 1.11 Is the policy available in the local languages for all countries in which the organization operates? 2. Code of Conduct and Compliance Policies and Procedures 2.01 Is there a documented process for identifying and accessing legal and other requirements relating to corrupt practices associated with your business?

3 Are these legal and other requirements taken into account in establishing, implementing and maintaining the compliance system? Is this information kept up to date? Is there a mechanism for effectively communicating relevant information on legal and other requirements such as regulations, standards, codes of practice, agreements and guidelines to persons working under the control of the organization and other relevant parties? Are anti-corruption objectives established, implemented, and maintained at each relevant function and level? Are objectives measurable, where practicable? Do objectives include a specific commitment to: a) Comply with applicable legal requirements b) Continual improvement? Are the following key factors taken into account when objectives are established and reviewed? a) Legal and other requirements b) Corruption Risks c) Technological options d) Financial options e) Operational issues f) Business requirements g) Views of relevant interested parties Do international contracts contain the following FCPA related clauses? a) Requiring the parties to know and comply with FCPA requirements. b) Requiring the provision of documents and records in the event of an Investigation. c) Providing for the cancellation of the contract in the event of an FCPA violation. Have program(s) for the achievement of anticorruption objectives been established, implemented and maintained? Have procedures been established, implemented and maintained for the ongoing prevention of corrupt practices? Do such procedures contain adequate definitions to ensure compliance - including the following? a) Responsibilities b) Proper internal controls c) Auditing practices d) Records e) Documentation requirements 2.13 Do such procedures cover the full scope of the organization's activities and operations, including the

4 following? a) Products and services b) Third-party agents c) Customers d) Government interactions e) Industry related risks f) Geographic risks Do such procedures adequately address all FCPA related risks facing the organization, including the following? a) The nature and extent of transactions with foreign governments b) Payments to foreign officials c) Use of third parties d) Gifts e) Travel f) Entertainment expenses g) Charitable and political donations h) Facilitating and expediting payments Do such procedures detail appropriate transaction approval mechanisms including the specification of the following? a) Monetary transaction limits b) Annual transaction limits c) Routing of unusual requests to senior management Has the organization designed and implemented a robust system of internal accounting controls to ensure that transactions are executed only in accordance with management s general or specific authorization? Does the system of internal accounting controls adequately take into account the operational realities and risks attendant to the organization - including the following? a) The nature of its products and services b) How the products or services get to market c) The nature of its work force d) The degree of regulation e) The extent of interactions with government(s) f) The degree to which the organization has operations in countries with a high risk of corruption Do procedures include the requirement to make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the organization? Do procedures include the requirement to record transactions in such a way as to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements?

5 2.20 Do procedures include the requirement to maintain accountability for assets? Do procedures permit access to assets only in accordance with management s general or specific authorization? Do procedures ensure that the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences? Do procedures specify controls to prevent the misreporting of these types of payment? a) Commissions or Royalties b) Consulting Fees c) Sales and Marketing Expenses d) Scientific Incentives or Studies e) Travel and Entertainment Expenses f) Rebates or Discounts g) After Sales Service Fees h) Miscellaneous Expenses i) Petty Cash Withdrawals j) Free Goods k) Intercompany Accounts l) Supplier / Vendor Payments m) Write-offs n) 'Customs Intervention' Payments Does the organization have a class of securities registered pursuant to Section 12 of the Exchange Act or that is required to file annual or other periodic reports pursuant to Section 15(d) of the Exchange Act.? Has the organization complied with SOX Section 404 (15 U.S.C. 7262) (Reporting on the State of a Company s Internal Controls over Financial Reporting)? Has the organization complied with SOX Section 802 (18 U.S.C and 1520) (Criminal Penalties for Altering Documents)? Has the organization complied with SOX Section 302 (15 U.S.C. 7241) (Responsibility of Corporate Officers for the Accuracy and Validity of Corporate Financial Reports)? 3. Oversight, Autonomy, and Resources 3.01 Has the organization assigned responsibility for the oversight and implementation of the anti-corruption compliance policy to one or more specific senior executives? 3.02 Are such senior executives able to operate autonomously in the performance of their duties?

6 3.03 Do such senior executives have access to the organization s governing authority? 3.04 Has the organization defined roles, allocated responsibilities and accountabilities, and delegated authorities at all business levels to facilitate effective implementation of the compliance program? 3.05 Have roles, responsibilities, accountabilities, and authorities been documented and communicated to all persons working in the organization? 3.06 Has the organization allocated adequate staffing and resources relative to the size, structure, and risk profile of the business? 4. Risk Assessment Has a procedure been established, implemented and maintained for the ongoing identification and assessment of FCPA violation risks? Is the methodology for risk assessment defined with respect to its scope, nature and timing to ensure it is proactive? Does the procedure require a focus on high-risk markets, activities and transactions rather than lowrisk areas? Does the procedure address all types of activities and transactions, including the following? a) Routine activities and transactions b) Non routine activities and transactions c) Large government bids d) Questionable payments to third-party consultants Does the procedure ensure that the risk assessment approach is commensurate with the size and risk of the transaction? Does the procedure include the determination of appropriate control measures relative to the identified risk, such as increased due diligence, monitoring, or periodical audits? Are control measures appropriate given the exposure of the organization to key risks including the following? a) Country b) Industry sector c) The business opportunity d) Potential business partners e) Level of involvement with governments f) Amount of government regulation and oversight g) Exposure to customs and immigration in conducting business affairs Does the procedure take into account risks

7 4.09 associated with proposed changes in the organization, its activities, products and services, or the markets in which it operates? Following implementation of the risk management program, can it be said that the organization fully understands the risks associated with foreign corrupt practices (bribery), and has implemented robust controls to mitigate these risks? 5. Training and Continuing Advice 5.01 Is there a procedure in place for identifying competency needs of the following internal and external stakeholders with whom it deals? a) Top management b) Employees c) Customers d) Third party agents e) Contractors/sub contractors f) Government officials 5.02 Does the organization operate an anti-corruption training program? 5.03 Does the training program cover these key topics? a) Identification and management of corruption risks b) Related company policies and procedures c) Instruction on laws relating to the countries and industries in which the organization operates d) Practical advice to address real-life scenarios e) Case studies 5.04 Is the training presented in a manner appropriate for the targeted audience? 5.05 Is the training and training materials provided in the local language? Is the training supplemented by guidance and advice on complying with the company s ethics and compliance program? Does this procedure take into account differing levels of responsibility, ability, language skills, literacy and risk? 5.08 Are training records retained for all training provided? 5.09 Does the organization evaluate the effectiveness of the training or action taken, and retain associated records? 6. Incentives and Disciplinary Measures

8 Does the organization provide positive incentives such as these? a) Personnel evaluations and promotions b) Rewards for improving and developing the company s compliance program c) Rewards for ethics and compliance leadership Is adherence to compliance a significant metric for management s bonuses so that compliance becomes an integral part of management s everyday concern? 6.03 Are compliance professionals and internal audit staff recognized by the organization? 6.04 Has the organization implemented appropriate and clear disciplinary procedures? 6.05 Have these procedures been applied consistently and promptly? 6.06 Are disciplinary procedures commensurate with the related violation? 7.Third Party Due Diligence and Payments Has the organization clearly identified all third parties assisting the organization in some aspect of its foreign business? Have adequate procedures been established, implemented and maintained for the conduct of due diligence on third parties? Do such procedures provide for due diligence on the following related third parties? a) Agents b) Consultants c) Distributors Do such procedures require the ongoing assessment of third parties in relation to their qualifications, associations, and relationships with foreign officials, and the person(s) in the organization who have authority to enter into a contract with them? 7.05 Do such procedures require an increased level of scrutiny where "red flags" surface? 7.06 Do such procedures require the detailed analysis of the business rationale behind the third party engagement, including these key factors? a) Including the third party in the transaction b) The role of and the need for the third party c) The contract terms specifying the services to be performed d) The timing of the introduction of the

9 third party to the transaction Do such procedures require the analysis of the following financial components of each third party transaction? a) Payment terms b) Timing of payments c) Comparison with other similar transactions in the industry or country concerned Do such procedures require verification that the third party is actually performing the specified work and that payments are commensurate with this work? Do such procedures include a system for ongoing monitoring of third party relationships using these mechanisms? a) Updating due diligence periodically b) Exercising audit rights c) Providing periodic training d) Requesting annual compliance certifications by the third party 7.10 Has the organization informed third parties of its compliance program and commitment to ethical and lawful business practices or where appropriate, sought assurances from third parties, through certifications and otherwise, of reciprocal commitments? 8. Confidential Reporting and Internal Investigation Does the organization have a mechanism for an organization s employees and others to report suspected or actual misconduct or violations of its policies? Are all reports treated on a confidential basis? 8.03 Does the mechanism ensure that employees and others are able to report without fear of retaliation? 8.04 Does the organization have an efficient, reliable, and properly funded process for investigating the allegation and documenting the organization s response? 8.05 Do policies and procedures include disciplinary or remediation measures to be taken? 8.06 Does the company analyze reported violations and the outcome of any resulting investigations in order to update its internal controls and compliance program and focus future training on such issues, as appropriate? 9. Continuous Improvement: Periodic Testing and Review 9.01 Does top management review the compliance

10 program at planned intervals, to ensure that it remains current, relevant and appropriate to the organization? Are the anti-corruption policy objectives and performance measured against stated objectives and targets? Do such steps include a review of ongoing changes such as these? a) The company s business over time b) The environments in which the company operates c) The nature of its customers d) The laws that govern its actions e) Industry standards Do reviews cover audit findings? 9.05 Is the compliance program updated following management reviews? 9.06 Are the outputs from management reviews consistent with the organization's commitment to continual improvement? 9.07 Are relevant outputs from management reviews made available for communication and consultation? 9.08 Are top management reviews documented and retained? 9.09 Do documented procedures detail the process to monitor and measure performance of the compliance program on a regular basis? 9.10 Do the procedures require the implementation of these performance measurement activities? a) Qualitative measures for the needs of the organization b) Quantitative measures for the needs of the organization c) Monitoring the extent of meeting FCPA objectives d) Use of proactive measures of performance e) Use of reactive measures of performance to monitor incidents and adverse events f) Recording of results and date of monitoring and measurement 9.11 Does the organization undertake a critical evaluation of its potential weaknesses and risk areas, such as surveys to measure compliance culture and the strength of internal controls, identify best practices, and detect new risk areas? 9.12 Does the organization undertake targeted audits to make certain that controls on paper are working in

11 practice? Are audit programs and schedules based on corruption risks and significant aspects of business operations, locations, and processes? Does the selection of auditors and conduct of audits ensure objectivity and the impartiality of the audit process? Do the audits seek to determine these key objectives? a) Conformance of the Compliance Program to FCPA regulations and other applicable regulations b) That the Compliance Program has been properly implemented and maintained c) That the Compliance Program is effective in meeting the organization's policy and objectives Do the audits review the results of previous audits? 9.17 Are audit results communicated to and reviewed by top management? 9.18 Are audit records retained? 10. Mergers and Acquisitions: Pre-Acquisition Due Diligence and Post-Acquisition Integration Have adequate procedures been established, implemented and maintained for the conduct of FCPA due diligence on mergers and acquisitions? Do such procedures require due diligence to be conducted pre-acquisition or where circumstances prevent this, as soon as practicable post-acquisition? Do such procedures provide for the immediate disclosure to the authorities of any corrupt payments or practices uncovered during the due diligence? Do such procedures require the immediate integration of the acquired business into the organization's compliance program and internal control systems? Have the following integration actions been implemented for acquired business units? a) Training of new employees b) Re-evaluation of third parties under company standards c) Conduct of audits