One of the questions GSK faced during the bribery and corruption investigation of its Chinese operations was how an allegedly massive bribery and corruption scheme occurred? Where were the appropriate internal controls? You might think that a company as large as GSK and one that had gone through the ringer of a prior DOJ investigation resulting in charges for off-label marketing and an attendant Corporate Integrity Agreement (CIA) might have such controls in place.

It would be reasonable to expect that internal controls over gifts would be designed to ensure that all gifts satisfy the required criteria, as defined and interpreted in company policies. It should fall to compliance to finalize and approve a definition of permissible and non-permissible gifts, travel and entertainment and internal controls will follow from such definition or criteria set by the company. These criteria would include the amount of the spend, localized down into increased risk such the higher risk recognized in China. Within this context, there are four general internal controls to consider. 1) Is the correct level of person approving the payment/reimbursement?; 2) Are there specific controls (and signoffs) that the gift had proper business purpose?; 3) Are the controls regarding gifts sufficiently preventative, rather than relying on detect controls?; and 4) If controls are not followed, is that failure detected?

Below are 10 specific inquiries you can make regarding your compliance internal controls specific to third parties.

  1. Prior to entering the relationship, did management: confirm alignment with business strategy; analyze strategic risk; perform risk/reward analysis; and review its ability to provide adequate oversight and management on an ongoing basis?
  2. Can the third party’s activities be viewed as predatory, discriminatory or abusive?
  3. Does your compliance regime include policies and procedures to help manage third-party relationships; internal controls; training; monitoring; and auditing procedures to ensure consistent and ongoing compliance?
  4. Was adequate due diligence conducted that included a review of all available information about the third-party (e.g., financial condition, reputation, knowledge of laws, complaints, operations and controls, internal controls and marketing materials)?
  5. Are expectations and obligations of both the company and the third-party outlined in a written contract prior to entering the relationship?
  6. Does the Board of Director’s review and approve any material third-party relationships? If not at the Board level, is there a Compliance Committee above the CCO but below the Board which does so?
  7. Does the contract outline fees to be paid, management information reports, audit rights, limit use of consumer information, exclusivity language, complaint management process, specify circumstances that constitute default, dispute resolution process, and provides indemnification provisions?
  8. Did the Board initially approve the third-party relationship and does it review each significant third-party relationship on at least an annual basis?
  9. Is there a process to verify the third-party’s operations are consistent with the written agreement and that risks are being controlled?
  10. Does management allocate sufficient qualified staff to monitor significant third-party relationships and provide necessary oversight (and are these activities reported to the Board of Directors or designated committee)? What is the frequency of exceptions and how are they analyzed/documented/reported to management? When applicable, are you comparing and analyzing the third-party’s sales patterns?

Obviously, the use of third parties can be a powerful and effective way for a business to achieve its strategic goals. This may be one of the key reasons why third parties are still one of the leading indicia of bribery and corruption. Every compliance program should regularly review its third-party service providers and evaluate internal policies and procedures to ensure compliance.

Three key takeaways:

  1. GSK continues to be an example of the lack of internal controls for third-parties in an effective compliance program.
  2. General areas of review for compliance internal controls.
  3. Third parties are still the highest risk of corruption related issues.