FCPA Compliance and Continuous Controls Monitoring

In a 2008 speech to the Texas General Counsel Forum, former United States Deputy Attorney General Paul McNulty provided his perspective on Foreign Corrupt Practices Act (FCPA) compliance investigations and the Department of Justice (DOJ) enforcement actions. From his experience as the former second highest-ranking official in the DOJ and the chairman of the President's Corporate Fraud Task Force, Mr. McNulty opined that there were three general areas of inquiry the DOJ would assess regarding an enforcement action. First: "What did you do to stay out of trouble?" second: "What did you do when you found out?" and third: "What remedial action did you take?"

Mr. McNulty went on to further define that in the first area of inquiry "What did you do to stay out of trouble?" the DOJ would look into what systems a company had in place, for example: a Code of Conduct; policies and procedures to implement any Code of Conduct; and a company wide (and anonymous) hotline. However, more than just having the policies, procedures and processes in place, did the Company provide training on these and were they actively used in business going forward, such as in the area of due diligence on foreign business partners, including agents, resellers, distributors and vendors? Lastly, Mr. McNulty stated that the DOJ would look to see if a company had tested its FCPA compliance systems, for instance, was a test case sent up through the hotline; was training in FCPA compliance confirmed or at least tested; were FCPA compliance audits conducted of both employees and foreign business partners; and were the results of the monitoring catalogued and maintained?

This posting will focus on the use of continuous controls monitoring of a FCPA compliance program. While most companies have a Code of Conduct, with attendant implementation policies and procedures in place, training thereon and a hotline; many companies have yet to implement any type of self-audit program to measure FCPA compliance program performance. One of the concepts to emerge out of Sarbanes-Oxley (SOX) is that of continuous controls monitoring for SOX compliance. This author believes that the experiences beginning to come out of continuous controls monitoring programs could portend a powerful tool to assist companies in their ongoing FCPA compliance program.

A recent survey by KPMG, published in its white paper on "What is Driving Continuous Auditing and Monitoring Today?" indicated that a large number of US companies were successfully using continuous controls monitoring in the following areas: 

• Regulatory Compliance
• SOX 404 Compliance
• Fraud Prevention and Detection

These findings highlight the transportability of the continuous controls monitoring concept for use as a tool in the area of FCPA compliance. 

One of the leading proponents of continuous controls monitoring is Norman Marks, who writes his own blog on the subject, entitled Norman Marks on Governance, Risk Management, and Internal Audit. Mr. Marks describes continuous controls monitoring as more than simply an application of a monitoring program. It is a top-down model that begins with "understanding enterprise goals and objectives" and then moves to "determine the potential risks to those objectives" and finally goes on to "the assessment and testing of the controls required to manage the risks." Marks, "A Look into the Future: The Next Evolution of Internal Audit."

In a recent article, entitled, "Magic Quadrant for Continuous Controls Monitoring" French Caldwell and Paul Proctor of Gartner described three ways in which continuous controls monitoring contributes to overall risk management and compliance initiatives. First, continuous controls monitoring can lower audit costs by eliminating manual sampling. Second, continuous controls monitoring can improve financial governance by increasing the reliability of transactional controls and the effectiveness of anti-corruption controls. Third, continuous controls monitoring can improve actual operational performance by monitoring key financial processes.

There are many examples available on the use of continuous controls monitoring. One company, Visual Risk IQ, which produces a software product which performs continuous controls monitoring, has published anonymous case studies on its website. These studies presented were not performed in connection with any FCPA compliance audits. However, the case studies are useful examples of how tools such as continuous controls monitoring can be utilized by corporations in an overall FCPA compliance program and will assist a company in answering the first question McNutly posed above, "What did you do to stay out of trouble?"

The Visual Risk IQ studies include a case study of both accounts payable and of purchase card spend to determine if there was fraud and misuse of the cards. The key in both of these reviews, involving continuous controls monitoring situations was that of data review. This same type of testing can be utilized in reviewing foreign business partners, including agents, resellers, distributors and joint venture partners. All foreign business partner financial information can be recorded and analyzed. The analysis can be compared against an established norm which is derived from either against a businesses' own standard or an accepted industry standard. If a payment, distribution or other financial payment out or remuneration into a foreign business partner is outside an established norm, thus creating a Red Flag, such information can be tagged for further investigation.

Many companies have yet to embrace post FCPA compliance policy implementation as a standard part of their compliance program. They have found that it is difficult to test behavioral aspects of a FCPA compliance policy, such as whether an employee will follow a company's FCPA-based Code of Conduct, other testing can be used to form the basis of a thorough review. For instance, it can be difficult to determine if an employee will adhere to the requirements of the FCPA. However continuous controls monitoring can be used to verify the pre-employment background check performed on an employee; the quality of the FCPA compliance training an employee receives after hire and then to review and record an employee's annual acknowledgement of FCPA compliance. For a multi-national US company with thousands of employees across the world, the retention and availability of such records is an important component not only of the FCPA compliance program but it will also go a long way to a very positive response to McNulty's inquiry of "What did you do to stay out of trouble?"

© Thomas R. Fox, 2010

Visit FCPA Compliance and Ethics Blog, hosted by Thomas Fox, for more commentary on FCPA compliance, indemnities and other forms of risk management for a worldwide energy practice, tax issues faced by multi-national US companies, insurance coverage issues and protection of trade secrets.