We recently wrote, and provided a list of examples, Red Flags in the anti-corruption, anti-bribery, anti-money laundering context and in the area of international economic sanctions. As we indicated, we do not believe that the mere presence of a Red Flag means that a transaction is violative of the Foreign Corrupt Practices Act (FCPA) or even that the transaction must not go through. The presence of a Red Flag does mean that there should be additional follow up, due diligence and investigation to ensure that any party or transaction which raises a Red Flag is valid. This investigation must be thoroughly documented and in a form which readily creates an audit trail should your company need to provide such data to the Department of Justice (DOJ) or other investigatory body.
We recently read an article by ACL Services entitled “Don’t Get Bitten by the FCPA”, which advocated the use of audit analytics to assist in the creation of an effective compliance program. They promote audit analytics as a core component as it demonstrates a consistent process and follow up for any issues which are identified as Red Flags. It also provides the necessary documentation to enable your company to continue to compare and update its compliance program and provides a readily assessable written record to present to any DOJ official.
The authors also noted several issues which make implementation of such a system challenging. Your compliance program must understand business culture and local language. The system you utilize should support language characters from writing systems outside the United States (think Chinese here). Your audit team should also have access to local resources on business operations, language and culture. The culture of gift giving is wider in some Asian countries than in the US, so special care must be taken to identify and understand such issues.
The centralization of data is critical. Many companies may have different Enterprise Resource Planning (ERP) systems across the world. The laws of many countries vary in terms of the capture and correlation of data and if such information can be transmitted outside a country’s borders. While such issues can be overcome with multiple servers or other hosting solutions, it may increase the difficulty of capturing such data.
The authors provide a framework for the deployment of analytics. They begin with suggesting the prioritization of risk. Recognizing that a risk assessment is now viewed a mandatory first step in any effective FCPA or Bribery Act compliance program; you must prioritize your risks with regards to any issues raised as Red Flags. The authors list a four step approach, which includes:
- Define the Red Flags and compliance questions which are the most important to your overall anti-corruption and anti-bribery program.
- Obtain the data which you need to answer the issue(s) raised by the Red Flag.
- Run analyses, push results out to the right people and automate the process.
- Build from these steps to evolve your system.
The authors end the paper with some questions which we believe every organization should ask itself on an ongoing basis to help keep a compliance program dynamic and not static. These questions include:
- Does your company perform any type of data analysis to address audit or compliance objectives?
- Has your company reviewed how audit analytics could be applied to help with an overall FCPA control assessment strategy?
- Has your company investigated how (or even if) your foreign business partner data is captured?
- How decentralized is your employee expense and payment system?
- How often does your company validate its FCPA controls?
This white paper provides an excellent overview of using the tool of audit analysis analytics in your FCPA or Bribery Act compliance program. We recommend it to you as method to analyze your company’s program and to assist in documenting your compliance procedures.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2011