Auditing Agents and Consultants for Compliance with the FCPA

www.theiia.org

Welcome to Today’s Webinar • Before We Begin – – – –

Sponsors CPE Requirements Demographic Polling Questions Q&A Session

• Copyright: These materials are presented by The IIA. Use without expressed written permission of it is prohibited.

www.theiia.org

A Word from our Sponsors…

www.theiia.org

CPE Requirements • Only registered participants are eligible to receive CPE credit. • A series of polling questions will be posed throughout the presentation. • You must respond to 70% of the polling questions to receive credit. • Be sure to select the submit button, after making your answer selection. • You must view the entire webinar. • Early departure could result in decreased CPE award. www.theiia.org

Demographic Polling Questions 1.

How many viewers are watching the Webinar at your location? a) b) c) d) e)

2.

1 – I am the only viewer 2 to 4 viewers 5 to 7 viewers 8 to 10 viewers More than 10 viewers

At what level in your internal audit career are you? a) b) c) d) e) f)

www.theiia.org

New to internal audit Staff Auditor Sr. Staff Auditor Audit Manager Audit Director Chief Audit Executive

Webinar Participation • Submitting Questions to the Presenter: – Type the question into the Q&A panel section. – Select the “Send” button. – We will have a dedicated question and answer session at the end of the presentation to address your questions.

• Technical Assistance – Type your issue into the Chat panel section to IIA Tech Support. – Select the “Send” button. – We will respond to your question privately.

www.theiia.org

Auditing Agents and Consultants for Compliance with the FCPA

www.theiia.org

Today’s Discussion • FCPA third party risks • Objectives of the audit and approach • Leading practices and considerations • Insights from Ernst & Young’s 11th global fraud survey

www.theiia.org

Third Party Risks – FCPA Overview Anti-bribery Provisions: •

Criminal offense for U. S. companies or persons to bribe foreign officials for business purposes.

Recordkeeping and Internal Control Provisions: •

Requires U.S. issuers (SEC registrants) to make and keep detailed and accurate financial records; prohibits the falsifying of corporate records to conceal bribes to foreign officials and other improper payments.

•

Issuer must devise and maintain a system of internal accounting controls to ensure accurate reporting of transactions, safeguarding of assets and financial statements are prepared in accordance with GAAP.

www.theiia.org

Third Party Risks – FCPA Overview No issuer, domestic concern, person in U.S. May corruptly Take action in furtherance of payment or a promise, offer or authorization of payment Of a bribe or anything of value Directly or indirectly To a foreign official To obtain or retain business or improper advantage

www.theiia.org

Third Party Risks – FCPA Overview FCPA actions are on the rise 45

40 38

40

33

35

14

30

20

13

25 20

15 12

15

26

10 5

5

5

8 18

3 2

7

7

2004

2005

2006

20

0

DOJ Actions

www.theiia.org

2007

2008

SEC Actions

2009

Third Party Risks – Agents and Consultants Bribes paid indirectly through agents and consultants •

In some countries and regions, business is conducted not directly by a company’s own employees, but indirectly through agents, consultants or other third parties. – This practice or custom may allow a company to learn about a new business opportunity, culture, or region through the eyes of someone who is already knowledgeable.

•

A common feature of many FCPA prosecutions is the use of local agents/consultants to pay bribes and conceal the payments.

•

The FCPA prohibits both direct or indirect bribes including bribes paid through agents/consultants whether “known” or “should have known”. Willful ignorance/blindness is not a defense.

www.theiia.org

Third Party Risks – Agents and Consultants Types of “Agents and Consultants” to consider •

Sales representatives

•

Distributors

•

Customs agents and freight forwarders

•

Law firms

•

Accounting firms

•

Tax consultants/advisors

•

Other professional services firms

www.theiia.org

Third Party Risks – Agents and Consultants Conducting Business with Agents and Consultants •

Conduct FCPA due diligence prior to entering into relationship

•

Require a written contract clearly specifying work to be performed, payment terms, invoice requirements, etc.

•

Include FCPA language / certification in contract

•

Include audit rights for potential improper payments and exercise!

•

Central oversight of agents and consultants

www.theiia.org

Third Party Risks – Due Diligence •

Internal approval process with elevated vetting for high-risk agents and consultants

•

Questionnaires and verification

•

External reference checks

•

Press/public information searches (including local press and “blacklist” searches)

•

Local law check

•

Documenting benchmarking of compensation

•

Investigation of specific red flags

•

Identification of relationships with government officials

•

Interviews/awareness training

www.theiia.org

Third Party Risks – Payment Process and Controls

Payment Process and Controls • Understand controls in place • Level of supporting documentation, review and sign-off • Red flags

www.theiia.org

Third Party Risks – Agents and Consultants Vetco International •

Four Vetco International Ltd. subs made at least 378 corrupt payments (totaling approximately $2.1 million) to Nigerian Customs Service officials through an agent

•

Payments were to secure preferential customs treatment for the importation of goods and equipment into Nigeria

•

Subs pleaded guilty - $30.2 million total fine

•

Independent monitor

•

Financial costs; cost of company personnel and other resources

www.theiia.org

Third Party Risks – Agents and Consultants Nature’s Sunshine Products, Inc. (“NSP”) - 2009 •

“Control person” liability

•

Allegedly made over $1 million in cash payments to customs brokers where some of these funds were paid to Brazilian customs officials

•

NSP civil penalty of $600,000; CEO and former CFO civil penalty each of $25,000

Frederic Bourke - 2009 •

“Willful blindness”

•

$1 million fine; One year and one day in prison

Christian Sapsizian - 2007 •

A non-U.S. citizen, employed by a non-U.S. entity (French corporation with registered shares traded in the United States)

•

Employed an agent consulting firm as a conduit for bribe payments to government officials

•

Sentenced to 30 months in prison and continued cooperation with U.S. and foreign law enforcement officials in the ongoing investigation concerning the French corporation

www.theiia.org

Polling Question #1 How would you best describe your FCPA experience / expertise? a) No direct experience or training b) No direct experience but some training in the area c) Involved in implementation of FCPA policy or compliance program d) Direct experience in an FCPA compliance audit or investigation

www.theiia.org

Objectives of the Audit and Approach Per IPPF Standard 2130.A1- The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization's governance, operations, and information systems regarding the: • Reliability and integrity of financial and operational information; • Effectiveness and efficiency of operations; • Safeguarding of assets; and • Compliance with laws, regulations, and contracts.

www.theiia.org

Objectives of the Audit and Approach Summary of recommendations and leading practices including: • Making sure controls are properly designed, well established, and documented; • Coordinating FCPA and financial reporting control reviews; • Performing a risk assessment that identifies FCPA compliance risks; • FCPA screenings as part of compliance audits; Determining if the organization is providing FCPA training; and, • Performing testing procedures as a scope area in audit engagements www.theiia.org

Objectives of the Audit and Approach Sarbanes Oxley (“SOX”) vs. FCPA Testing - Key Differentiators •

Financial Reporting Internal Controls vs. Anti-Bribery Compliance

•

Materiality

•

Quantitative vs. Qualitative

•

Controls Testing vs. Substantive Testing

www.theiia.org

Objectives of the Audit and Approach Maintain the proper Mindset • Qualitative aspects • Not a “check the box” exercise • Avoid a “cookie-cutter” approach • Professional skepticism • Professional experience • Judgmental sampling

www.theiia.org

Objectives of the Audit and Approach • Understand the services provided • Understand the third party process • Determine the level of books and records maintained • Identify any indicators/red flags of bribery • Evaluate training and knowledge of the FCPA • Evaluate due diligence • Evaluate payment process and controls

www.theiia.org

Polling Question #2 Has your organization conducted any FCPA audits of agents / consultants within the past year? a) Yes b) No c) Don’t know/Not applicable

www.theiia.org

Audit Planning • Risk assessment • Due diligence (level, frequency, documentation) • Internal discussions (Business/operations, Legal, Compliance, other stakeholders) • Agreements in place • Right to audit clause • Notification process • Preliminary transaction analysis • Who attends the audit? • Work performed at direction of counsel?

www.theiia.org

Assess Services Provided, Third Party Processes, Training and Knowledge of FCPA • External discussions – Agent/consultant – Accounting / Operations

• Internal discussions • Periodic certifications • Communications regarding FCPA • Level of cooperation • Red flags

www.theiia.org

Bribes Can Take Many Shapes and be Anything of Value Red flags may include: • Cash • Lavish gifts or entertainment • Non-essential, lavish travel expenses • Improper campaign contribution • Payments to charity of official’s choice • Scholarship or travel for family members

www.theiia.org

Example FCPA “Red Flags” - Agents and Consultants •

Country has historical bribery problem

•

Partner or agent refuses to promise not to violate FCPA

•

Type of industry or industry historically susceptible to improper payments or prior history of improper payments

•

Requests for false invoices or other documents

•

Invoice or request for payment that is unusual or departs from normal practice

•

Offshore payment requests

•

No one can describe services rendered by agent

•

Agent/consultant has a questionable reputation

•

An excessive commission

•

Government customer recommends or requires use of an agent

•

Partner or agent related to foreign official

•

Suggestions that money needed to “get the business”

www.theiia.org

Books and Records • Complexity of books and records • Separation of books and records from other clients • Location of records • Level of supporting documentation – – – –

Correspondence Receipts Accounting entries Descriptions

• Level of cooperation • Red flags

www.theiia.org

Books and Records Per Books & Records

Transaction

“commission” “consultancy”

Employees and agents paid kickbacks and bribes to Iraqi government in order to obtain contracts.

“inspection fees” “acceptance fees” customer “training” trips

Payments to consultant at recommendation of Kazakhstan official to secure tender for software contracts.

“sales commissions” “commission to the customer” “refunds” “rebates”

Bribes paid to managers in China that were owned in whole or part by the Chinese government to obtain business.

“after sale service fee” “consultation fees”

Employees and agents of French subsidiary paid kickbacks to Iraqi government in order to obtain contracts.

“express courier service” “local processing fee” “administrative/transport fee”

Bribes paid to Nigerian customs officials to receive preferential treatment during customs process.

www.theiia.org

Polling Question #3 When conducting FCPA compliance audits, how would you characterize your interaction with the Legal and Compliance departments? a) No interaction at all b) Some interaction c) Frequent interaction d) Don’t know/Not applicable

www.theiia.org

Encountering Red Flags

• Established action protocols – Defined consultation procedures – What information to gather? – When to stop? – Legal; Compliance; Audit; other stakeholders – Legal privilege

www.theiia.org

Insights from Ernst & Young’s 11th Global Fraud Survey Overview •

The global financial crisis has made it harder for certain existing frauds to be concealed and has brought increased personal and commercial pressures.

•

Companies beginning to focus on growth must be aware of the risks of operating in new markets/geographies and be mindful of building an appropriate and effective compliance framework.

•

Global enforcement of unethical behavior by regulators continues to increase organizations need to continue to demonstrate compliance.

•

The economic downturn eroded the resources needed to support anti-fraud and anti-corruption initiatives such as personnel cuts in internal audit.

•

Dwindling top-level support for long term fraud prevention initiatives.

www.theiia.org

Insights from Ernst & Young’s 11th Global Fraud Survey Recent experiences of fraud Global

16%

Western Europe (WE)

21%

Latin America (LA)

21%

Middle East and Africa (MEA)

18%

Central and Eastern Europe (CEE)

14%

Japan (JP) North America (NA)

9%

Far East (FE)

8%

Australia (Aus)

8%

10th Global Fraud Survey (2008)

www.theiia.org

12%

13%

Polling Question #4 When did your organization last carry out a fraud risk assessment? a)