Managing FCPA (Foreign Corrupt Practices Act) Risks Diana Shin - Partner Jacqueline Fan Associate Director Fraud Investigation and Dispute Services July 2010
Agenda 1. Compliance pressure points 2. Putting into practice an FCPA compliance program: A step-by-step guide 3. Adopting Continuous Compliance Monitoring 4. Case studies for discussion Page 2
Quiz FCPA anti-bribery provisions Company A is a US Corporation with securities registered with SEC Company A is liable under the FCPA only for authorized bribes to non-us government officials paid by its employees or agents. T F Company A is liable for any bribes to non-us government officials, except for corrupt payments of small, nonmaterial amounts. Company A is not liable under the FCPA for bribes paid by non-us nationals as they do not fall under the jurisdiction of the US authorities. Company A s employees and agents who are not US nationals cannot be individually prosecuted for violating the FCPA. Page 3
Quiz FCPA books and records Devon Plastics, is a U.S. publicly listed company that operates in Indonesia. Jack Saunders, a mid-level marketing manager for Devon Plastics makes a secret agreement with a government official to pay bribes to the official in order to obtain government business. The bribes are paid through an intermediary who provides Devon Plastics with an invoice for consulting services. The transaction is recorded in Devon Plastic s books as consulting expenses. Jack Saunders is the only Devon Plastics employee aware of the bribe payments. 1. Jack Saunders has committed an FCPA anti-bribery violation. T F 2. Jack Saunders has committed an FCPA Books and Records violation. 3. Devon Plastics has committed an FCPA anti-bribery violation. 4. Devon Plastics has committed an FCPA Books and Records violation. Page 4
Quiz FCPA books and records Cornwall Company is a U.S. publicly traded company that only operates in the US Jeff Turner, a mid-level marketing manager makes an agreement with a manager at a private company to pay bribes to the manager in order to obtain business from his company. The bribes are paid through an intermediary who provides Cornwall Company with an invoice for consulting services. The transaction is recorded in Cornwall Company s books as consulting expenses. Turner is the only Cornwall Company employee aware of the bribe payments. True or False: 1. Turner has committed an FCPA anti-bribery violation. T F 2. Turner has committed an FCPA Books and Records violation. 3. Cornwall Company has committed an FCPA anti-bribery violation. 4. Cornwall Company has committed an FCPA Books and Records violation. Page 5
Quiz FCPA internal controls Dorset Company is a US publicly traded company that operates in the Middle East. Dorset Company makes a payment to a consultant for the purposes of passing a bribe to a government official. The payment is made upon submission of a false invoice for consulting services rendered. No due diligence was performed on the consultant prior to it being set up in the Vendor Database. 1. Dorset Company is potentially liable under the FCPA Internal Controls provisions. T F 2. If Dorset Company had stringent financial controls around payments to consultants including consultant due diligence, an extra-review process for review of consultant payments, FCPA auditing and extensive FCPA training, it could escape liability for an FCPA Internal Controls violation. Page 6
Common bribery risk areas Employee sales and marketing expense Cash advances Travel and entertainment expense Gifts Cash Cash equivalents Material items Procurement and sales Kickbacks Use of agents and intermediaries Commission payments to brokers, distributors, trading companies Consultants Design institutes Service fees Promotion activities Sponsored travel False travel agent invoices False meeting organizer invoices Conferences / meetings Business content vs. entertainment Charitable donations Page 7
Examples of red flags Apply to agents, consultants, joint ventures, and contractors that: Reside outside the country where the services are to be rendered Demand an unusually high commission without a corresponding level of services or risk Do not have the organizational resources or staff to undertake the scope to work required under the agreement Have a close family connection or other personal or professional affiliation with a foreign government or official Refuse to disclose their complete ownership Page 8
Examples of red flags Apply to agents, consultants, joint ventures, and contractors that: Refuse to sign representations, warranties and covenants that they have not violated and will not violate the requirement of the FCPA Request that false invoices or other documents be prepared in connection with a transaction Engage in transactions in a country with a general reputation for bribery and corruption Have a lack of transparency in expenses and accounting records Page 9
FCPA compliance program Page 10
FCPA compliance program An anti-fraud program demonstrates that management is setting the proper tone at the top An effective anti-fraud program should include each of the following elements: Setting the Proper Tone Proactive Reactive Code of Ethics Anti-Fraud Program Policies Communications and Training Fraud Risk Assessment Fraud Controls Monitoring Fraud Response Plan An anti-fraud program will not provide absolute assurance against fraud, but it can help to mitigate the effects of fraud Page 11
Objectives of program elements Code of Ethics The purpose of the code of ethics is to promote: Honest and ethical conduct Full, fair, accurate, timely, and understandable disclosure in reports and documents Compliance with applicable governmental laws, rules, and regulations Prompt internal reporting of violations of the code Accountability for adherence to the code and the sanctions to be imposed Anti-Fraud Program Policies Formal anti-fraud policies should: Be specific to the individual organization and its operations Guide employees through complex issues Provide a channel for employees or third-parties to report fraud Establish procedures to govern the escalation of fraud allegations Provide support/protection for whistleblowers Communic ation and Fraud Awareness Training Fraud awareness training should focus on: Educating employees on the organization s code of ethics and conduct guidance Understanding protocols for reporting suspicious activity Communicating the disciplinary actions that may be taken in the event of fraud Page 12
Objectives of program elements Fraud Risk Assessment Fraud Controls Monitoring Fraud Response Plan The purpose of fraud risk assessment is to identify areas of susceptibility, including: Common types of fraud risk schemes and scenarios that could occur within any organization Specific fraud schemes that are industry/sector specific Fraud schemes that may be more prevalent in specific geographic locations Controls monitoring is based on the results of the fraud risk assessment and is used to: Develop action plans to assess, improve, and/or monitor the controls associated with the specific priority fraud risks Assess, improve or monitor the company level controls relevant to Fraud risk generally Report the results of the action plans to executive management and/or the audit committee An effective fraud response plan should include: Escalation protocols Investigation protocols Remediation action steps Uniform disciplinary procedures Page 13
Fraud risk assessment Fraud Risk Assessment A fraud risk assessment helps to identify fraud risks and the controls that mitigate those risks Fraud Risk Assessment Company/Entity Level Controls Fraud Risks Controls Transaction Controls Fraud- Specific Controls & Detection Procedures Control Environment Fraud and Ethics Policies Education Information and Communications Monitoring Systems Transaction Level Controls Segregation of Duties IT Application Controls Authorizations Reconcilliations Data Analytics Predictive Modeling Surprise Audits 3 rd Party Confirmation Review Related Parties Page 14
Fraud risk assessment Tofull assess the company s risk of official and/or commercial bribery,amulti-level approach is required. Entity level review of policies, procedures and communication activities is first undertaken to assess the overall adequacy of existing compliance standards and Tone at the Top. Process level review and mapping are used to identify potential gaps or weaknesses in controls and documentation. Entity Level Review Process Level Review Interactions with government / SOEs Formal anti-bribery policies and procedures Gift and entertainment policy Employee training / awareness initiatives Cash disbursements Purchasing / vendor selection Vendor due diligence Event reporting / whistleblower hotlines Compliance resources / staffing Compliance monitoring plan Focus on the role of finance and legal personnel Sales and marketing activities Agency/distributor relationships Contract review and approval Transaction Level Travel and entertainment expenses Service vendor disbursements Marketing and promotion expense Rebates/discounts/aging Agent/broker commissions Charitable contributions Sponsored trips/petty cash Page 15
Fraud controls monitoring Fraud Controls Monitoring Identify the appropriate controls to monitor based on the associated level of risk Risk of Fraud Lower Risk Moderate Risk Review Company- Level Controls Review Company- Level Controls + Review Transaction Controls Higher Risk + + Review Company- Level Controls Review Existing Monitoring & Transaction- Level Controls Fraud- Specific Controls Fraud Risks Prevent and Detect Controls Corruption Asset Misappropriation Fraud Risk Assessment Low Medium Company-Level Controls + Transaction Level Fraud Controls Monitor, Report and Respond Investigate Findings and Exceptions Remediate and/or Enhance Controls Continuously monitor the Anti-Fraud program to assess changes in the fraud risk profile Fraudulent Financial Statements High + Fraud Specific Controls/Procedures Uniform Discipline Policy Page 16
Fraud response plan Fraud Response Plan Investigate Findings and Exceptions Remediate and/or Enhance Controls Uniform Discipline Policy Purpose Escalate concerns appropriately Assign responsibility for investigating fraud Develop and initiate disciplinary actions Maintain mechanism to record reported fraud Detection and action taken Action plan upon the detection of suspected fraud Prevention of further loss Validate that discipline is applied consistently Ensure assets or information within the organization are not destroyed Establish and secure information Establish procedures to secure information and assets during an investigation Determine applicability of laws and regulations to evidence Recovery of losses Legal advice should be obtained on options to recover losses Reporting suspected fraud Written report clearly indicating the findings and recommendation upon completion of all investigations Review of plan Review the plan at least annually Page 17
Other considerations What should a corporation do when a problem has been discovered? Voluntary disclosure and cooperation Opportunity of obtaining meaningful credit Deferred prosecution or non-prosecution Sentencing credit below-guidelines fine Compliance self-reporting vs. independent compliance monitor Depends on severity and pervasiveness of the conduct, quality of the corporation s pre-existing compliance program, remediation effort, etc. Global Manufacturer of Electrical and Power Equipment - US$450 million fine paid to DOJ vs. US$1.35 billion to US$2.7 billion called for in the Sentencing Guidelines Page 18
Adopting continuous compliance monitoring Page 19
Electronic data in enterprise Background When considering enterprise risk, all sources of data should be addressed 66% of fraud is detected by accidents or tip (i.e., by chance) (Source: 2008 ACFE Report to the Nation on Occupational Fraud and Abuse) Gartner study shows that 80% of enterprise data is unstructured in nature Most company analysis focus on the 20% structured data Structured data CRM Databases Accounting Systems Text Graphics Unstructured data Email 80% Unstructured Data Presentations & Spreadsheets Few organizations have the methodologies or technologies to efficiently address unstructured data 20% 80% Source: Gartner Research Page 20
Controls vs. Forensics data analytics Most often controls only seek to embed knowledge about current risks (what is known) in the form of non- adaptative human derived detection rules Controls are most likely to be circumvented or bypassed: Median time of 18 months from the time a misuse, abuse and other non compliance begin until the time it is detected* Non compliance and abuse are usually first detected more commonly by accidental discovery than internal audit, internal controls or external audit* Data Analytics transaction monitoring complement controls based testing by looking in real time into unusual transactions in a context derived from the multiple relationships that exist between the different dimensions present in the data and meta-data This helps target and field audit activity on areas most likely to be at risks not currently covered by existing controls or where current controls have been circumvented. Measures gaps between policy and expectation vs. what really happens Identify transaction-level signs of errors, abuse, misuse, waste and non compliance when they are less costly and less complex to prove, correct and remediate Page 21 *2006 ACFE Survey on Occupational Fraud
FDA transactional monitoring methodology Focus on transactions with the highest potential risk Include areas that traditional financial audit cannot cover Not every payment transaction bears the same risk level Leverage data analytics to increase risk coverage on a continual basis Procurement Data Master File Analysis Unusual payment numbers Vendor data fuzzy match Transactions Duplicate payments Split payments Payment transactions with vague or missing details Keywords analysis Approval Date Gaps PO vs. Good Received Segregation of Duties Name Address Bank account Phone number Employee data fuzzy match Address Bank account Phone number Mixed fuzzy match High Risk Vendors for Field Review Restricted Vendors Page 22
Internal audit functions continue to struggle with integrating Analytics effectively Optimizin g Audit Focus Competency Process Focus Technology Most Fortune 500 IA functions Defined Manage d Maturity Challenges Lack of Implementation Strategy Data Acquisition Training & Competency Development Staff Continuity Basic Level 1 Repeatabl e Level 2 Level 3 Level 4 Level 5 Level 1 No formal DA approach, procedures or methodology DA performed occasionally at best Tools are not readily available Dependant on the skills of limited number of SMR s Level 2 DA is recognized a s a value-add to the audit DA is not yet institutionalized Relies on a central group or an individual to understand issues and implement DA procedures as appropriate Tools are available, however not applied consistently or correctly Level 3 Enforced DA policy support by a defined methodology The use of DA is monitored by IA management The quality and impact of DA results are evaluated Understanding of the business relevance Tools are used to create data analysis models Level 4 DA methodology is institutionalized Management involved in on-going DA efforts Mgt understanding of business issues and root cause Re-performance of DA procedures Advanced tools used e.g. visual analysis and modeling Level 5 Practices evolved in level 1 through 4 are used to continually improve DA processes, procedures and results Continuous control monitoring tools Page 23
Apart from the traditional benefits, a technology-based analytics approach provides IA with increased flexibility in execution approach Enhanced Perspective on Risk Integrating analytics into the risk assessment and audit plan definition process Central view of process metrics, controls indicators, fraud indicators across key business process, locations and legal entities Improved Audit Efficiency Integrating analytics into the audit planning process influence the scope, nature and extent of audit procedures Improved coverage and opportunity to quantify results analysis is based on 100% of master and transaction files Facilitates sample selection in advance of getting into the field Flexibility in Approach to Coverage and Execution Forms the basis for a continuous auditing approach Ability to analyze multiple locations (legal entities, business units or countries) from Corporate - without getting into the field Increased coverage, less travel timing and extent of fieldwork is based results of analysis Page 24
FDA transactional monitoring existing financial business processes modules Time & Expenses Human Resources & Payroll Vendor Payments Sales Commission Purchase Cards Procure to Pay Order to Cash Segregation of Duties Fixed Assets & Capital Projects Financial Accounting & Reporting Custom process starting from scratch possible Page 25
Forensic approach leveraging data analytics ` ` Develop scope Planning and preparation Identify potential samples by leveraging forensic data analytics Field Testing on samples with high risk indicators Reporting/ Follow up Enhances Fraud Risk Coverage ` ` Increases efficiency by leveraging technology Making the invisible visible Page 26
The role of data analytics Key benefits by leveraging data analytics Focus - deployment of resources on samples with high risk indicators while gaining greater risk coverage Executive reporting - visual analysis using graphics with patterns, trends, anomalies and outliers Benchmarking Comparison across business units/agencies Knowledge transfer - Sharing of industry practice and data analytic knowledge Page 27
The role of data analytics Data analytic results- example 1 The following diagram showed that we found wide distribution of rounded number payments to travel agencies. Therefore, audit resources were focused on these travel agencies. Page 28
The role of data analytics Data analytic results- example 2 The following example showed that by using visual analytic techniques on both the expense amount and the count of invoices in combination, we discover anomalies and outliers for focused sample selection. (i.e., Making the invisible visible). 12M 11M 10M 9M 8M Document Date 2005 2006 2007 2008 High Value and Volume compare to other trends. Samples should be focused in this area. Count of Invoices 1 50 100 150 176 Category Category1 Category5 Category6 Category7 Category8 Expense Amount 7M 6M 5M 4M 3M Anomalies that should be investigated. 2M 1M Anomalies that should be investigated. 0M Q1 Q2 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Page 29
The role of data analytics Data analytic results- example 3 The following diagram showed that we found an unusual vendor payment behavior. It shows there is only one vendor (in red) was paid more than 23 times per month. Therefore, samples were based on this vendor on months where the number of invoices were greater than 23 times. September November December January February March April May June July August September October November December January February March April May June July August September October November December January February March April May June July August September October November December Count of Invoice Page 30
Hypothetical case studies Page 31
FCPA case studies Berkshire, Inc. Berkshire, Inc. is a US publicly traded company located in Stamford, Connecticut. Jim Hawthorne, logistics manager for Berkshire, Inc. s operations in Indonesia, utilizes a well regarded international custom broker, Global Clearing Ltd. to handle importation of equipment into the country. Global Clearing Ltd. Invoices Berkshire, Inc. for all incoming shipments. The invoices show the customs broker s fee and detail all customs charges and additional expenses which are backed by receipts. One expense item, which is regularly contained on the invoices, is for Customs Expediting Fees. For this item, Global Clearing Ltd. does not provide a receipt. The Customs Expediting Fees range from $100 to $5,000, depending on the equipment imported. Hawthorne pays the invoices without question, figuring he is better off not knowing the details behind the Customs Expediting Fees. The Customs Expediting Fees are lumped with the other charges and booked as Customs Expense. Page 32 32
FCPA case studies Berkshire, Inc. Questions: a. Could Hawthorne and Berkshire, Inc. be liable for a possible FCPA violation? Which FCPA provisions might apply? b. Does Hawthorne s lack of specific knowledge of bribes to customs officials shield him and Berkshire, Inc. from liability? c. At some point, Don Barter, the Country Controller of Berkshire, Inc., questioned Hawthorne about the lack of supporting documentation. Hawthorne replied that Global Clearing is a well regarded international customs broker, so we can assume everything is on the up and up. Besides, we need to get the equipment when we need it. Hawthorne thinks the charges might be facilitating payments, and decides to book them as Facilitation Payments Expense. Does Hawthorne have potential FCPA liability? d. Do Barter, Hawthorne and Berkshire, Inc. have other potential liability other than the FCPA? Page 33 33
FCPA case studies Surrey, Inc. Surrey Inc. is a US based public company located in Boston, Massachusetts. Marketing Director Steve Taylor is in charge of the Surrey team proposing, in a closed bidding process, to provide day laborers to Kent, Inc., a US based, publicly-owned construction company. Kent s CEO, Frank Peterson, contacts Taylor and asks for a private meeting. At the meeting, Peterson tells Taylor he will select Surrey as the winning bidder if Surrey pays him 2% of the proceeds on the contract. These payments are to be made through a false invoicing scheme. Peterson sets up a company, Oxford, Inc. which issues monthly invoices for fire safety consulting services. Taylor fills out paperwork to have Oxford added to Surrey s Vendor Master Database. The paperwork is processed with no questions asked. Taylor then signs off on the invoices. The payments are booked as consulting fees. Questions: a. Are the payments to Oxford, Inc. FCPA violations? Which FCPA provisions might apply? b. Would it matter if Kent only did business inside the US? c. What red flags if noticed, or controls might have stopped these payments? d. What if Peterson demanded a one-time payment of $100. The payment is booked as consulting services. Would Surrey be liable for an FCPA violation? Page 34 34
FCPA case studies Cumberland, Inc. Cumberland, Inc., a US publicly traded oilfield services company operates in many difficult parts of the world and often finds itself making facilitating payments to get spare parts or people into a country or for other routine government matters. Cumberland, Inc. has controls in place in its business units surrounding facilitating payments including obtaining approval in advance for large non-repetitive facilitating payments (Over $500) and properly accounting for all such payments in an account entitled Facilitating Payments. An FCPA audit of Cumberland, Inc. operations in Nigeria discloses 93 payments made to the same customs official totaling $10,500 over a one month period. There are no other facilitating payments. Per capital annual income in Nigeria was $1,154 at the time of the payments. Questions: a. Are the 93 payments properly characterized as facilitating payments? Are they in violation of the FCPA? b. If they do not violate the FCPA, are these payments otherwise legal? c. What are the consequences to employees making these payments in Nigeria? d. Does the amount of the payment matter in determining whether it is a facilitating payment? Page 35 35
FCPA case studies Norfolk, Inc. Norfolk, Inc. is a US publicly traded oil field services company. Norfolk Brazil, a subsidiary of Norfolk, Inc., regularly provides gifts and entertainment to executives of the state-owned Oil Company, Nationalized Oil Corporation, Brazilian customs officials and other persons with whom they transact business. Gifts are usually purchased out of petty cash and are not tracked. A review of the petty cash disbursements journal details receipts for the purchase of gifts but provides no information concerning the recipient of gifts or whether such persons are government employees. Entertainment expenses are also paid out of petty cash or put on the company credit cards. Employees are required to file expense reports describing the purpose of a meal or entertainment and who attended, but otherwise, gifts, meals and entertainment to Brazilian government officials or Nationalized Oil Corporation Officials are not tracked. Questions: a. Does Norfolk have an FCPA issue related to gift giving and entertainment in Brazil? b. Does Norfolk have a problem under Brazilian law? c. What controls could be put in place to ensure there are no violations? Page 36 36
Thank You!
Ernst & Young Assurance Tax Transactions Advisory About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 135,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com. 2009 Ernst & Young, China All Rights Reserved. FEA no.0300056 This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither the Ernst & Young China practice nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor. Please note that some of these services and activities cannot be provided to audit clients of Ernst & Young or may only be provided in certain limited circumstances. Please check with your usual Ernst & Young contacts for further information. www.ey.com/china Page 38