Looking for outliers in commissions and other contract terms in third party agreements is a key focus for auditors
With government regulators around the world paying closer scrutiny to corporate anti-corruption and bribery policies, companies need to fully understand what is expected of their compliance programs. That was a key message of a webinar on FCPA compliance audits hosted by PwC in late November. The webinar shared lessons from recent government investigations
Compliance is intended to be a regular business practice and companies need to ensure their programs are assessed by an outside auditor and updated regularly, said David Wilson, a partner at the law firm Thompson Hine.
‘Most [Foreign Corrupt Practices Act] cases end up settling. What the government expects and what they enforce in settlement terms requires that companies have a meaningful compliance policy that includes audits,’ he said.
The emphasis placed on compliance audits in a FCPA resource guide issued by the Department of Justice and the SEC in November 2012 and the 2013 annual report of the OECD Working Group on Bribery show that ‘this is clearly a wave going around the globe and it’s important for anyone doing business internationally to understand it,’ he said.
Conducting regular reviews and audits of compliance programs can be costly and logistically challenging for companies with business units around the world, however, Wilson said a company-wide audit isn’t necessary at the outset.
‘First you do a risk assessment to make sure you have the right program in place,’ he said. ‘Then you test that in a site-specific way, based on the nature of the business you do and where you do business. Certain businesses are hotspots for corruption.’ In addition, companies must do transaction testing of expense reports and ledgers, as well as interview some employees to understand how the compliance policy is working.
Risk assessments must be designed specifically for the type of business a company is in rather than being one-size-fits-all, according to Peter Viksnins, a director in forensic services at PwC. The assessment must consider whether a company is in an industry known for compliance problems, whether a company has a history of compliance problems and audit findings, and the nature of its business locations and transactions.
The scope of an FCPA audit differs from that of other types of audits because it probes into business areas that are most susceptible to corruption risk, said Albert Vondra, a partner at PwC. An FCPA audit will typically look at whether a company has provided guidance to employees about how to handle hospitality and other corruption-related issues.
There is also a greater focus on third party agreements and payments as 70 percent of compliance audit findings involve dealings with third parties, Vondra said. Auditors mostly look for outliers in the value of commissions being paid to third parties for their services, he added.
It’s critical that companies conduct operations compliance assessments, understanding that procedures used for finance and accounting, gifts and hospitality and expense reports will come under scrutiny.
‘Travel is often a difficult area,’ said Vondra. ‘The DoJ is not so troubled by trips to a company’s locations. They’re looking at side trips that result in periods of time far in excess to what travel for the company was, like a jaunt to Disney World [on the back of a business trip].’
One recent settlement with the SEC was based on a company’s failure to audit third-party profit margins, which influence end prices that business partners charge, Viksnins said. Rather than a distributor’s actual profit margin, the SEC is looking at ‘whether there is inequity between similar distributors or rebates,’ he said.
Auditors are also looking at whether a company performed due diligence prior to retaining a third party, including customs agents, attorneys, consultants, and anyone who helps with tax filings or might interact with government officials. Whether third-party contracts include right-to-audit clauses and whether companies exercise such rights are also of interest to auditors, Vondra said.
Companies must communicate the goals of an audit with employees and be even-handed, he said. An audit must result in action, whether it is disciplining employees found to have violated compliance policy, or changing business partners if necessary. It’s also critical to preserve information on an audit’s findings and make sure there’s a system for reporting up to senior management and the board when issues arise.