One of the most consistent themes from the Department of Justice (DOJ) regarding Foreign Corrupt Practices Act (FCPA) compliance programs has been continuous evolution. As far back as 2009, I heard Lanny Breuer say that your compliance program should be continuously evolving, just as your business does, going forward. This concept continues to be enshrined in DOJ pronouncements.
The 2012 FCPA Guidance specifies, “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.”
In the Evaluation of Corporate Compliance Programs (Evaluation) there were two items which struck me as continuing the requirement of compliance program evolution, both found under Prong 9, Continuous Improvement, Periodic Testing and Review. Under Internal Audit it asked, What types of audits would have identified issues relevant to the misconduct? Did those audits occur and what were the findings? What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis? How have management and the board followed up? How often has internal audit generally conducted assessments in high-risk areas? Under Control Testing it asked, Has the company reviewed and audited its compliance program in the area relating to the misconduct, including testing of relevant controls, collection and analysis of compliance data, and interviews of employees and third-parties? How are the results reported and action items tracked? What control testing has the company generally undertaken?
All of this means that as a Chief Compliance Officer (CCO) you should keep track of external and internal events which may cause change to business processes, policies and procedures. Some examples are new laws applicable to your business organization and internal events that drive changes within a company. Such internal changes could be a company reorganization or major acquisition.
Continuous evolution requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.
A review plan is an excellent tool for the compliance practitioner because it provides a method for the ongoing evaluation of policies and sets forth a manner to communicate and train on any changes that are implemented. More than simply staying current, this approach will help provide the dynamics that the DOJ continually talks about in keeping your program fresh. Lastly, such a review plan can also guide the compliance practitioner in creating an ongoing game plan for compliance program upgrades and updates that Stephen Martin advocates.
The FCPA Guidance makes clear that each company should assess its risks and manage its risks. The Guidance specifically notes that small and medium-size enterprises likely will have different risk profiles and therefore different attendant compliance programs than large multi-national corporations. Moreover, this is something that the DOJ and Securities and Exchange Commission (SEC) take into account when evaluating a company’s compliance program in any FCPA investigation. This is why a “Check-the-Box” approach is not only disfavored by the DOJ, but, at the end of the day, it is also ineffectual. It is because each compliance program should be tailored to the enterprise’s own specific needs, risks, and challenges.
One tool that is extremely useful in the continuous evolution, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information.
Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. Although unique in protocol, however, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.
Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local Finance departments in your foreign offices to ask if they’ve noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance.
The DOJ emphasized again with the Pfizer Deferred Prosecution Agreement (DPA), the need for a company to establish protocols for auditing. It included the following detail on auditing protocols:
- On-site visits by an FCPA review team comprised of qualified personnel from the Compliance, Audit and Legal functions who have received FCPA and anti-corruption training.
- Review of a representative sample (appropriately adjusted for the risks of the market) of contracts with and payments to individual foreign government officials as well as other high-risk transactions in the market.
- Creation of action plans resulting from issues identified during the proactive reviews; these action plans will be shared with appropriate senior management and should contain mandatory remedial steps designed to enhance anti-corruption compliance, repair process weaknesses, and deter violations.
- A review of the books and records of a sample of third party representatives which, in the view of the FCPA proactive review team, may present corruption risk. Prior to such an investigation, however, the company should have procedures in place to make sure every investigation is thorough and authentic, including document preservation protocols, data privacy policies, and communication systems designed to manage and deliver information efficiently.
There are many tools you can use to evolve your compliance program. Many of these techniques are straight-forward and are available at little or no cost to you. Further, many insights are often found in your own company’s data so you should mine what is available to you right now. When the regulators come knocking, this is one area they will certainly look to see; how your compliance program has evolved with the changing business realities of your company. You need to be ready to show them.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2017