As we have noted, the key to any testing, whether in the form of an audit or assessment, of your Foreign Corrupt Practices Act (FCPA) compliance program is not to be afraid of the results. If there are components which need to be enhanced, you will have the opportunity to do so. If additional or supplemental training is called for take the opportunity to provide it. In short, do not be afraid of the results and use Paul McNulty’s maxims of “what did you find” and “what did you do about it”. After you have completed the FCPA audit, what steps should you take? This post will explore some of the issues related the evaluation and response.
Evaluate – The Triage Committee
Initially you must evaluate the results of your testing. If a significant issue has arisen, such as a possible violation of the FCPA or other serious infraction of your compliance program, you should carve this issue out and refer it to the appropriate group within the company. In the Johnson & Johnson Deferred Prosecution Agreement (DPA) Attachment D – Enhanced Compliance Obligations is the concept of a compliance oversight committee, which is termed as the “Sensitive Issue Triage Committee” whose responsibility is to review and respond to any FCPA issues that may arise. This Triage Committee can be a valuable resource to refer such matters for further investigation. If your company does not yet have such a committee, this referral can be made to the Legal or Compliance department, who can initiate a more formal or detailed investigation. You may also wish to bring in specialized outside investigation counsel, early on, to assist with the evaluation and investigation of any such significant issues.
After carving out the significant issues that require immediate and/or further investigation, you should review the overall results. You will need to bring together the relevant audit team members you have used. This should have included the compliance, legal and internal audit or other financial controls team members to review the overall effectiveness of your internal controls, including the books and records review. All interviews should be summarized and analyzed. If deficiencies were found, you should determine if additional or more focused training is warranted.
After your evaluation is complete, you need to prepare a detailed Response Plan, including the detail of how you intend to implement the proposed responses. Here we would suggest that all corrective and preventive action plans be closed within 90 days of completion of the audit. The goal is to drive each region or business unit audited to adhere with your company’s compliance program, as we believe that this provides the best path to positive change over the long term.
You should set out the time frame to accomplish the tasks which may need remediation. There should be specific assignments of responsibility made to handle the designated tasks. If required or called for you should have interim progress made on the tasks assigned. Finally, there should be a final report on the results of your implementation plan.
An ongoing question in this phase is whether or not to administer discipline. Some feel that if discipline is administered as a result of audit findings, the result will be less than forthcoming cooperation in the next round of audits and assessments. However, I am a firm believer that if disciplinary action is warranted it needs to be applied consistently. This means that if information was received in any manner other than under an amnesty program and discipline is warranted, you should discipline employees for compliance violations just as you would if the information came in through a mechanism other than an audit. As with any corporate discipline, it should be administered fairly, in accordance with company policy. One thing to keep in mind is that discipline must be meted out consistently, across the company on a world- wide basis, for example if you terminate employees in South America for intentional misrepresentations on travel and entertainment accounts, you must do the same for US employees.
The final question we will explore is who should get the report? There is usually dynamic tension between the Legal Department, which desires to restrict access, and the Compliance group, which believes it can be used as a teaching tool from which to learn valuable lessons. Initially, the Final Report should be reviewed and approved by all Triage or compliance oversight committee members as it should be sent to the Company’s Board of Directors or Audit Committee. You will also need to share the full report with the local management of the region or business unit which was audited. Any individuals who receive discipline, sanctions, or any type of counseling for issues that were uncovered by the audit should also receive the report portions which relate to them.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2011