William Henderson, a CPA and former federal prosecutor, is a partner in the Fraud & Investigative Services Practice of Ernst & Young LLP.

This article originally appeared in the spring 2008 issue of OCEG's publication GRC 360.

The world is getting smaller and the reality of a truly global marketplace now puts the spotlight on less-than-honorable business practices that have for so long inhibited growth in the developing world. This is a very positive forward movement for growing economies. Multi-national corporations are driving a lot of this change, with not-so-little encouragement from regulators. In the United States, the U.S. Department of Justice and the Securities and Exchange Commission are spearheading the fight against global corruption. The principal weapon in their arsenal is the U.S. Foreign Corrupt Practices Act.

The anti-bribery provisions of the FCPA make it unlawful for U.S. persons and companies to pay bribes to non-U.S. government officials for the purpose of obtaining or retaining business. The FCPA also requires U.S. and non-U.S. companies with securities listed in the United States to meet its accounting provisions. These accounting provisions, which were designed to operate in tandem with the anti-bribery provisions of the FCPA, require covered corporations to make and keep books and records that accurately and fairly reflect the transactions of the corporation and to devise and maintain an adequate system of internal accounting controls.

Regulators, lawyers and accountants have been sounding the alarm about the rising level of prosecutions under the FCPA for quite some time now. This is no Chicken Little situation. Enforcement is on the rise and FCPA violations are serious business for companies and executives.

FCPA compliance is top of mind for companies doing business in emerging markets. Executives and boards are scrambling to understand just what the Act means to them, what they can do to address compliance risk, and how they can proactively develop programs to address concerns. While some are still reacting to the growing volume of warnings, many companies have already designed and implemented successful programs that effectively mitigate FCPA risk. These proactive policies and procedures serve as important examples for other companies. So what can you do?

Create an Anti-Corruption Program

Effective compliance starts with effective communication. Words matter when designing and implementing an FCPA compliance program. The program should be couched as an "anti-corruption" program—and not in terms of the more legalistic and U.S.-centric "FCPA."

Conduct a Corruption Risk Assessment

An anti-corruption program should focus on the specific risks of corruption and bribery facing your company. These risks are derived from the nature of your operations, the degree of business with non-U.S. government entities, your business locations and company size, and the regulatory environment you operate in. Conduct a corruption risk assessment to identify and prioritize these and other risks you face. The first step in building an effective anti-corruption program is to design and implement strategies and allocate resources to manage such risks. Additional risk assessments should be undertaken periodically to ensure that the program in place is meeting new risks and challenges as the business and regulatory environments change.

Adopt a Corporate Anti-Corruption Policy

Develop a company-wide policy requiring compliance with the FCPA and other anti-corruption laws. The overall compliance policy should detail how compliance will be achieved and address such issues as facilitating payments, FCPA due diligence in mergers and acquisitions, joint ventures, contracting with agents and consultants, commercial bribery, accuracy of financial reporting and audits of internal controls. The corporate anti-corruption policy should be approved by your board of directors, distributed to your company management, and posted on your internal website with other compliance-related policies.

References to your anti-corruption policy should be included in the written code of conduct issued to all company employees. Make a short and simple statement of FCPA requirements and of employees' duty to comply. Compliance with the anti-corruption policy should have a prominent place in your company's overall compliance regime. Setting clear standards, creating an appropriate tone at the top, educating and training, auditing, monitoring and implementing appropriate investigative and disciplinary action should all be part of the strategy.

Conduct Anti-Corruption Compliance Training

At a minimum, every person in a position to obtain business through bribery or other improper means should receive anti-corruption compliance training. Also consider training all accounting and financial employees. Consider a mixture of live training for targeted and senior employees and web-based training for all employees. The training should be reviewed and approved by legal counsel and tailored to meet the company's FCPA risk profile. Continually update the training and provide it to new or transitioning employees.

Audit for Anti-Corruption Compliance

Anti-corruption compliance audits should be conducted by internal audit at the various business units to identify any potential violations. These audits should occur on a rotating schedule, based on the relative likelihood of FCPA violations occurring in each of the various business units. Potential FCPA violations or "red flags" uncovered in the audits are then reported to the legal or compliance department for consultation concerning further investigation.

Internal audits have a powerful deterrent effect: They send a message that the senior management is committed to compliance. Appropriate follow-up and disciplinary action are crucial to creating an anti-corruption culture. It is also important that persons with the relevant skill sets and training conduct the audits. Some companies choose to have internal audit team with legal and compliance departments in conducting the audits.

Adopt Policies for Retaining Agents and Consultants

Create policies to govern the retention of agents, consultants, commercial sales representatives and other third parties to address the risk that such third parties may pay or offer to pay bribes on the company's behalf. The policies could include mandates that the company perform FCPA due diligence, require a written contract with anti-bribery representations and warranties, dictate periodic compliance certifications from the vendor and demand in the contract—and exercise—the right to audit the vendor for FCPA compliance. The vendor could also be required to undergo company-sponsored anti-corruption training. These policies should be tied to, and at least partially administered through, the company's procurement processes.

Incorporate into Travel, Gifts and Entertainment Rules

The FCPA is implicated by giving gifts or providing entertainment or travel to non-U.S. government employees. Such payments, or even offers, need to be carefully monitored to ensure against even the appearance of impropriety. A clearly stated approval process for such gifts and a gift log that can be audited are important components of a gifts-and-entertainment policy. Any travel or lodging provided to non-U.S. government officials should undergo a heightened approval process.

Create an Approval Process for Facilitating Payments

If your policy allows facilitating payments, develop a process to ensure appropriate review and pre-approval of all such payments, including analysis of their legality under local law and the FCPA. Facilitating payments are narrowly defined as payments to government officials for routine and non-discretionary action. If approved, such payments are recorded in a separate general ledger account to ensure transparency. All authorizing documentation also should be retained. One risk generated by a policy that permits facilitating payments is employees may not understand the policy and misinterpret the authority to make facilitating payments as permission to offer or pay bribes. Accordingly, such payments need to be tightly controlled, carefully monitored and rigorously audited.

Payments for travel and related expenses for non-U.S. government officials are permitted under the FCPA in limited circumstances when related to the promotion of a specific product or to obtaining a contract. Such payments only should be allowed with pre-approval and with mechanisms in place so that they can be carefully monitored and reviewed.

Develop Guidance for Charitable Giving

Charitable giving guidelines also should be included in anti-corruption policies to ensure the charities are not used as conduits for bribes. All charitable giving should be subject to an approval process that asks specific questions related to the purpose of the gift and the bona fides of the organization.

Due Diligence for M&A and Joint Ventures

Develop a policy to require specific anti-corruption due diligence in any contemplated merger, acquisition or joint venture. Statements accurately disclosing any past FCPA violations should be included in the seller's representations and warranties related to the transaction or as part of the merger or joint venture contract. Address future compliance with the FCPA in the contract.

Implement Anti-Corruption Financial Controls

Consider implementing specific anti-corruption financial controls around high-risk operations and processes. Focus these controls on high-corruption-risk areas such as transactions with government customers, procure-to-pay, cash, petty cash, gifts, customs and cross-border shipping, executive travel, meals and entertainment. Such heightened financial controls are focused on deterring and detecting illicit payments and can be a critical firewall in avoiding FCPA books and records violations.

Anti-corruption controls include accounting controls, controls for bank accounts and cash, vendor approval processes and transaction processing and monitoring (see The Hot Zone, page 16). It is critical also to communicate the importance of FCPA compliance to business unit controllers, accounts payable and other accounting professionals. Provide specific guidance to ensure accounting professionals are on the lookout for red flags. Be clear about how certain expenses should be recorded. Develop a specific strategy for communicating anti-corruption requirements to key financial reporting and accounting personnel. These communications should be part of a controller's manual or other accounting policies and should be discussed at meetings and in training sessions.

Employ an Anti-Corruption Compliance Certification Program

Many companies have formal programs to certify and re-certify senior employees regularly on FCPA compliance. Certifications will not stop the deliberate wrongdoer, but the requirement serves as a continuing reminder of the manager's compliance responsibility. Certification processes also may identify issues that otherwise might not have surfaced. A specific certification of compliance with the company's anti-corruption policy could be included as part of an existing business conduct certification program.

Stay Out of Trouble

No compliance program, no matter how expensive or extensive, can provide absolute assurance of compliance. An effective anti-corruption program will positively effect a company's culture and deter wrongdoing, make non-compliance far less likely and, in the unhappy event of a violation, more favorly position your company for potential dealings with regulatory authorities. Be mindful that one byproduct of the increased rate of corporate prosecutions and settlements has been a dramatic increase in criminal prosecutions of executives. For executives, the risks are real and not just about money. These leading practices can provide a good starting point and useful benchmark as you begin to think about how to do business globally while keeping your company, and especially your people, out of trouble.

Creating an Anti-Corruption Program

The Checklist

  • Conduct a corruption risk assessment.
  • Adopt a corporate anti-corruption policy.
  • Integrate anti-corruption into your overall corporate compliance program.
  • Implement anti-corruption training.
  • Audit for anti-corruption compliance.
  • Adopt special policies for retaining agents and consultants.
  • Incorporate anti-corruption policy into employee travel, gifts and entertainment rules.
  • Create an approval process for facilitating payments.
  • Develop guidance for charitable giving.
  • Incorporate anti-corruption procedures into mergers, acquisitions and joint ventures due diligence.
  • Implement anti-corruption financial controls.
  • Employ an anti-corruption compliance certification program.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.