WHITE PAPER Assessing Your Company s Risks of Non-Compliance With the Foreign Corrupt Practices Act: A Practical Guide By Joseph Howell, Workiva, and Brent Macey, Schnitzer Steel This article originally appeared in the Compliance Week e-book, Internal Controls in an FCPA Compliance Program. Congress passed the Foreign Corrupt Practices Act (FCPA) in 1977 in response to an epidemic of bribery and corruption when some 400 American companies admitted to making foreign bribes. 1 The law consists of two main provisions: The anti-bribery provisions, which prohibit bribery of foreign government officials by U.S. citizens, U.S. companies, U.S. companies foreign subsidiaries, and others, if the violation occurs in the United States The accounting provisions, which set requirements for issuers or companies traded on a U.S. stock exchange regarding record-keeping and internal accounting controls Initially, the law as enacted was enforced primarily against large U.S. corporations that were engaged in international business. These companies had ample resources to devote to understanding the law and implementing the needed processes and controls to assure compliance. Today, due to the increasingly global nature of U.S. business, the FCPA is being enforced against a much broader range of companies ranging from large multinational enterprises, to small- and medium-size businesses, to start-ups many of which have not had to deal with FCPA compliance in the past. Not surprisingly, over the last decade, the statue has also become a juggernaut for enforcement actions by the U.S. Department of Justice and the Securities and Exchange Commission (SEC), which have stepped up their scrutiny of companies activities. From a low of five enforcement actions in 2004, the agencies have taken 336 FCPA enforcement actions over the last 10 years (2005 2014), averaging nearly 34 a year. 2 In addition, the costs of monetary resolutions of these actions have soared from an average of about $7 million in 2005 to more than $156 million in 2014, and these do not include internal costs both monetary and in terms of costly distractions from companies operations during the multiyear investigations. 3 In many, if not most, cases these actions came about because of management s failure to adequately assess their risks and institute the appropriate internal controls. After settling more than $2 million in penalties with a U.S. company charged with FCPA violations, the chief of the SEC Enforcement Division s FCPA Unit, Kara Brockmeyer, emphasized in a recent statement, This is a wake-up call for small- and medium-size businesses that want to enter into high-risk markets and expand their international sales. When a company [sells its] products overseas, it must ensure that the right internal controls are in place and operating. 4
The message for compliance officers and anyone in a risk function is clear: whether your company is large or small, if you are engaged in international activities, it is critical that you and your team thoroughly assess and understand your company s risks of non-compliance with the FCPA and design your controls accordingly, or you risk becoming an costly statistic. Fortunately, there are practical and cost-effective ways to do this. Attempting to implement controls to manage FCPA risks without performing a risk assessment would be like going on a hike without a map you will end up someplace, but likely you won t be efficient, nor will you get where you really want to go. Understanding the law Ironically, many companies delay addressing and implementing the appropriate internal controls for FCPA when they begin conducting international business, which puts their enterprises at risk. The reasons vary with the company but commonly include: They believe that they conduct ethical operations, so it won t happen to them They perceive compliance to be a huge, expensive undertaking at a time when they have other priorities They do not know how to get started They are unsure how to determine what might be missing from their current control environment The good news is that the process you will need to follow is both logical and doable. The first step is for you and your team to adequately understand the law and how it applies to your company s operations. While there are many technicalities and nuances to the FCPA, the basic tenants of the law are relatively easy to grasp. The FCPA s anti-bribery provisions prohibit the paying, promising, offering, giving or authorizing a payment, offer, gift, or promise of anything of value to a foreign government official with a corrupt intent (i.e., for the purpose of obtaining or retaining business, or directing business to any third party). A foreign government official includes officers or employees of foreign governments and public international organizations, foreign political parties, foreign party officials, candidates for office, employees of foreign state-owned (in whole or in part) entities, and anyone else, if it is known that the bribe will go to a prohibited recipient. Similarly, the FCPA s accounting provisions require issuers to: 1. Make and keep accurate books, records, and accounts that, in reasonable detail, accurately and fairly reflect the issuer s transactions and disposition of assets 2. Devise and maintain a system of adequate internal accounting controls that, among other things, provide reasonable assurances that unauthorized payments have not been made Your team could conduct its own review and evaluation of the law from the many existing resources on the FCPA, including guidance issued by the Department of Justice, and have your work reviewed by a legal advisor that specializes in the FCPA. Alternatively, your company could enlist the services of an outside expert, e.g., a lawyer or consultant, to perform an evaluation and present it to your senior management and the board. In either case, it is important that you have a good understanding of the FCPA provisions and how they apply to your company before beginning the process of identifying and assessing your FCPA risks. Conducting the risk assessment process Once you understand the law s provisions, you and your team will need to identify the specific risks that could jeopardize your company s compliance with it. Attempting to implement controls to manage FCPA risks without performing a risk assessment would be like going on a hike without a map you will end up someplace, but likely you won t be efficient, nor will you get where you really want to go. Any risk assessment starts with a clarification of objective(s) that you wish to achieve. In this case, the objective is for your organization to be compliant with both the anti-bribery, and the books and records provisions of the law. A good practice is to appoint a small steering committee to lead the risk assessment process, which will focus on identifying the specific risks related to bribery. This team should be cross-functional and include representatives from legal, finance, compliance, risk, purchasing, sales functions, etc. Essentially, you will need to determine all the ways you operate internationally and make sure your team includes someone with knowledge of that area.
The first task for the steering committee is to delve into details regarding how and where individuals in your organization may interact with foreign entities and foreign persons, i.e., foreign contacts. This would include foreign customers, suppliers, customs personnel, freight forwarders, agents, business partners, joint ventures, government personnel, and others. By definition, a violation of the FCPA involves a bribe to a foreign government official. It may be difficult to determine which foreign contacts fit this definition. One thing to keep in mind is that in addition to the obvious employees of a foreign government, e.g., customs inspectors, any employee of a foreign organization that is at least owned in part by a foreign government may be considered a foreign government official. In some cases, a detailed investigation may be required to determine ownership of a foreign entity to determine if its employees fit this description. Another method is to assume all foreign entities are owned in part by a foreign government and therefore simply consider all of their employees as foreign government officials. For some organizations with limited international reach, this evaluation will be a relatively straightforward process. For organizations doing business with numerous people in multiple foreign countries, the task will be more time consuming. Further complicating the process are international operations i.e., factories or offices operating within a foreign country. Some of the individuals employed there may not consider government officials foreign. This requires analysis and training. And, if you have operations overseas and you have not considered the FCPA, it is safe to say your risk is substantial. Once all foreign contacts are identified, the steering committee then identifies all types of hypothetical actions by the organization or employees that could be considered a bribe under the FCPA. These could include paying cash, giving a gift, providing travel, meals, or entertainment, hiring relatives, making charitable or political contributions, etc. Note that an offer to pay any of these types of items could be considered a bribe even if the item is never actually provided. Keep in mind that materiality plays no part in determining if an item may be considered a bribe. The focus is on the intent of the bribe, not the amount. Therefore, it is important to calibrate your focus to include transactions that, under accounting standards, may be considered immaterial. For this reason, simply relying on Sarbanes-Oxley controls will not ensure compliance with the anti-bribery provisions of the FCPA. Regarding the books and records provisions, the FCPA does not prescribe the exact definition of what is considered adequate. The books and records need to accurately and completely record transactions in accordance with applicable accounting principles and provide adequate transparency. Simply relying on Sarbanes-Oxley controls will not ensure compliance with the anti-bribery provisions of the FCPA. As strange as it sounds, some organizations have been found to be in violation of the books and records provisions of the FCPA by not recording bribe payments made by employees of the organization in a bribe expense account or a facilitation payment in an appropriately titled account. The organizations recorded these payments as commissions, royalties, gifts, or other related expenses, which are not considered adequate transparency. Notwithstanding this type of attempt to hide transactions, most public companies, which are subject to outside audits and Sarbanes-Oxley, are more likely to be in compliance with the books and records provisions. A practical example Let s examine this situation. The steering committee identifies your company s sales personnel as regularly interacting with foreign buyers and periodically traveling to foreign countries to meet with these buyers. The first risk identified by the steering committee is that one of your salespeople may pay cash to a foreign purchasing department employee to entice them to purchase from your organization. The steering committee will then need to understand the risk further by considering when and where the sales employee would have access to cash to make such a payment. The cash sources might include payments from the U.S. home office, petty cash in some location, or foreign bank accounts etc., to which the employee has access. The steering committee might then consider the next identified risk for example, the case of sales personnel providing an expensive gift to the foreign customer and identify how the employee might actually purchase the gift using company funds. The committee would continue this process of identifying risks, based on input from the various operational, functional, and divisional employees asked to participate. In most cases, the result of this process of identifying risks will likely be a substantial, detailed list of risks. Some of these risks will be more likely to occur than others. Typically, the steering committee will rank the risks so that the focus can
be placed on the highest-rated risks. This is most often accomplished through a ranking of likelihood and impact of each of the risks. However, given the lack of materiality inherent in the FCPA, in most cases, the primary ranking criteria should be the likelihood of the risk occurring. It is important to note that when ranking the likelihood and impact of each of the risks, the inherent risk should be identified, without regard for the controls that may be in place. If controls are considered during this exercise, a determination could be made that a significant risk is not likely to occur because of the perceived effectiveness of the current control(s) over the risk. A risk assessment seeks to identify the most significant risks regardless of existing controls. The effectiveness of the controls is considered and audited in a separate process. Depending on the size of the company and the extent of foreign contacts, the process of identifying the population of risks may take some time. My experience is that employees, who are invited to participate in risk identification, generally enjoy the exercise as it allows them to contribute their knowledge of the foreign contacts and activities to strengthen controls. Once the population of risks is identified and effectively ranked from highest to lowest, the steering committee can make a recommendation to senior management and the board as to which risks to link with controls and which risks to manage in a different manner. See exhibit A. Conclusion We recommend that all companies with foreign contacts conduct an FCPA risk assessment. The process does not need to be overly complex. Once the risks are known and ranked, the process of linking controls and periodic auditing those controls will provide significant value to your senior management and board of directors. Adequate FCPA risk identification, controls, training of employees, and periodic auditing will also provide confidence that your company can continue to expand its business internationally while avoiding the potentially damaging and costly consequences of an FCPA investigation. About the authors Joseph Howell is Co-founder and Executive Vice President of Workiva, which created Wdesk, a cloud-based productivity platform for enterprises to collect, link, report, and analyze business data with control and accountability. Prior to founding Workiva, Joe served as Chief Financial Officer of three public companies: Borland, EMusic.com, and Merix. Brent Macey is the Director of Internal Audit for Schnitzer Steel Industries, Inc., which is one of the largest manufacturers Exhibit A
and exporters of recycled metal products in the United States with facilities in 24 states, Puerto Rico, and Western Canada. The company was recently named one of the 2015 World s Most Ethical Companies by the Ethisphere Institute. Prior to joining Schnitzer, Brent was an Assurance and Risk Management Partner with PricewaterhouseCoopers LLP. A Certified Public Accountant, he earned his bachelor s degree from Oregon State University. Resources 1 Foreign Corrupt Practices Act. (2015). The Department of Justice. Retrieved from: http://www.justice.gov/criminal/fraud/fcpa/ 2 2014 Year-End FCPA Update. (2015). Gibson Dunn. Retrieved from: http://www.gibsondunn.com/publications/pages/2014-year-end-fcpa-update.aspx 3 Ibid. 4 SEC Charges Smith & Wesson With FCPA Violations. (2014). U.S. Securities and Exchange Commission. Retrieved from: http://www.sec.gov/news/pressrelease/detail/ PressRelease/1370542384677 The information contained herein is proprietary to Workiva and cannot be copied, published, or distributed without the express prior written consent of Workiva 2015. wp0815 workiva.com info@workiva.com +1.888.275.3125