Print this issue
 View as PDF
Send us your comments

Since Congress passed the Foreign Corrupt Practices Act (FCPA) in 1977, there have been countless articles in academic and trade press urging audit and governance professionals to consider the risks raised by violations of this law. Authors have described the anti-bribery provisions of the law at length and identified scenarios companies operating abroad may find that expose them to corrupt practices.

Few could argue that after three decades, FCPA remains a prominent concern for governance professionals. Corporate auditors, for instance, frequently find themselves asking whether FCPA screening can be integrated into their everyday audits. The addition of yet another audit requirement, however, exacerbates resource shortages on an already overstretched audit team.

The quandary remains as to how auditors can target the work they are already expected to perform to address FCPA risk. If this situation resonates with your audit team, consider these 5 tips.

1. Focus your Interviews

Sometimes the simple, direct approach works best—ask, “Are we compensating people to buy from us?”

Though the FCPA specifically targets the bribery of foreign government officials, corporate auditors should be concerned about any form of uncontrolled payout regardless of its nature or value. Irregular gifts, payments, “comps”, or “pay to play” provisions expose the business to countless governance and ethics problems. By asking directly about whether your company is paying people in this way, you are communicating to your audit client that the answer to this question is just as important as those you might ask about financial topics or business processes.

Carefully choose your audience when asking direct questions. Though a controller, logistics manager, or CFO might be obvious choices, you should not forget the valuable insights to be gained from questioning individuals outside the financial departments, a well-placed I.T. manager, administrative assistant, or account executive.

Remember, interviewees may inadvertently filter information they believe is trivial because they may want to build a good rapport with you or fear retaliation from their peers. When interviewing, you should think of yourself as a “therapist” instead of an “investigator” by helping your interviewee come to terms with revealing truths. Auditors should also consider the physical place where these issues are discussed. For instance, the crammed conference room housing the auditors' temporary workspace can be intimidating to someone unfamiliar with your audit culture.

2. Understand the channels your company uses to sell products and services

The global marketplace has made it easy for companies large and small to sell to customers outside of their home countries. Sellers have a variety of channels they can use to distribute using trade groups, online marketplaces, business partnerships, direct-toconsumer, and other means.

Sales channels transcend national boundaries and usually involve intermediaries. Include sales and logistics mangers in your interviews and map how various key products or services leave your company and enter the marketplace.

The interviews, flowcharts, and sales process documentation you gather will provide the basis of your testing of revenue recognition and order fulfillment. Auditors are already expected to have an understanding of the flow of money across sales channels and the physical and entity touch points between different phases in the sales process. Therefore, auditors can leverage this understanding to assess FCPA risk simply by questioning the company's contact with government officials before and after sales, evaluating the process used to vet distributors operating in foreign countries, and corroborating ethical compliance policies that undoubtedly already exist with actual business practices.

Supplement this research by requesting data extracts of customer, supplier, and distributor information focusing on entity names, contacts, physical and mailing addresses, and transaction volumes. Then, seek out information from data in your company's customer relationship management (CRM) software by obtaining prospect entities and their contacts. Finally, obtain a list of your employees. You can use these datasets for risk assessment and substantive control testing for a variety of scenarios and for use in assessing your company's FCPA risk.

3. Validate the street addresses your company stores

“Geocoding” is the process of assigning a geographic coordinate on a map (e.g. latitude/ longitude) to a street address. Google Maps, for instance, uses Geocoding to pinpoint the location of a street address on a street map and provide driving directions.

Geocoding is a type of address validation. In the US, the US Postal Service supplies databases of street addresses with their official geocodes. When you geocode a list of street addresses from, say your vendor master file, you pass the address you have on hand to geocoding software and obtain its official geocode. This process provides you with the confidence that the street address you have on file is valid and represents a physical location.

The key benefit to geocoding is that it enables auditors to compare addresses between datasets. It is most helpful because different systems store street addresses in non-standard ways. For instance, does an employee live on “West Main Street”, “W Main St” or “West Main St”? A geocode would present the street address as coordinate which would simplify establishing a connection between a list of employees and another list of vendors.

Though not all mailing and shipping addresses have geocodes (i.e. post office boxes), other address validation can be performed to ensure the addresses you have on file are legitimate. Think of all the phantom vendors and employees you could pick up with such a simple test. Also, if you knew that all U.S. Government agencies in Washington, D.C. are assigned ZIP codes in the 20200 to 20599 range, you might be able to pick up transactions between your company and U.S. government entities.

4. Leverage tools to screen for 'Denied Parties' and 'Politically-Exposed Persons'

In an effort to help prevent companies from engaging in business transactions with known foreign criminals or terrorists, various government agencies around the globe publish “denied party lists” (DPLs) containing the identities of people their agency has flagged. A good vendor of DPL screening software will aggregate these lists along with rosters of politically-exposed persons (PEPs).

A PEP describes a person who may be (or may have been) in a position of political authority or prominence. Common PEPs include heads of state and their direct reports, judges, high-ranking military officials, ambassadors, and local politicians. Some advanced PEP lists may also include these individuals' spouses and immediate family members.

DPL/PEP screening is commonplace in companies transacting business internationally. Auditors tend to overlook its usefulness in their testing, however, as a PEP scan is relevant to FCPA assessments.

Auditors should already be reviewing DPL screening when evaluating controls on order fulfillment processes. Testing this can help them ascertain whether their company's DPL/PEP controls are effective by providing independent verification.

5. Target testing of disbursements to include transactions of potential importance to FCPA

Most internal audits have a component where disbursements are tested. These disbursements may include expense reports or direct invoices submitted to accounts payable departments. When selecting a sample of disbursements to test, consider those that may have a potential for raising an FCPA risk.

First, pursue cash payments of a significant dollar value made to customers to cover discounts, rebates, refunds or other invoice “adjustments.” Typically, invoice adjustments are made on a particular invoice before the customer makes a payment. A test confirming that cash refunds issued to clients actually are addressed to the client could be performed using address validation and provide confidence the “refund” payments are not being used as kick-backs or bribes.

Second, scrutinize payments made to third-party marketers especially if they are for fees not associated with actual sales volume. Third-party marketers are usually paid to sell products or services, so unspecified “consulting fees” submitted by these vendors may be destined for someone other than the marketer.

Finally, review payments made to lobbyists, political consultants, or attorneys. Ensure that these services are tied to appropriate contractual documentation such as engagement letters or statements of work (SOWs). Lobbyists operating on a blank check from the company might lack oversight to ensure they are fulfilling a legitimate business need.

These 5 tips are certainly not the only ones to consider. Surely with a little creativity, your audit team can think of additional ways to integrate FCPA screening into everyday audits without increasing your workload.

Alan Frank and Joseph Termine are consultants in Business and Risk Advisory Services at Amper, Politziner and Mattia LLP. Their research focuses on optimizing audit processes with information technology. Reach them on the web at www.amper.com.