As we have noted, the key to any testing, whether in the
form of an audit or assessment, of your Foreign Corrupt Practices Act (FCPA)
compliance program is not to be afraid of the results. If there are components
which need to be enhanced, you will have the opportunity to do so. If
additional or supplemental training is called for take the opportunity to
provide it. In short, do not be afraid of the results and use Paul McNulty's
maxims of "what did you find" and "what did you do about it". After you have
completed the FCPA audit, what steps should you take? This post will explore
some of the issues related the evaluation and response.
Evaluate - The Triage Committee
Initially you must evaluate the results of your testing.
If a significant issue has arisen, such as a possible violation of the FCPA or
other serious infraction of your compliance program, you should carve this
issue out and refer it to the appropriate group within the company. In the
Johnson & Johnson Deferred Prosecution Agreement (DPA) Attachment D -
Enhanced Compliance Obligations is the concept of a compliance oversight
committee, which is termed as the "Sensitive Issue Triage Committee"
whose responsibility is to review and respond to any FCPA issues that may
arise. This Triage Committee can be a valuable resource to refer such matters
for further investigation. If your company does not yet have such a committee,
this referral can be made to the Legal or Compliance department, who can
initiate a more formal or detailed investigation. You may also wish to bring in
specialized outside investigation counsel, early on, to assist with the
evaluation and investigation of any such significant issues.
After carving out the significant issues that require
immediate and/or further investigation, you should review the overall results.
You will need to bring together the relevant audit team members you have used.
This should have included the compliance, legal and internal audit or other
financial controls team members to review the overall effectiveness of your
internal controls, including the books and records review. All interviews
should be summarized and analyzed. If deficiencies were found, you should
determine if additional or more focused training is warranted.
After your evaluation is complete, you need to prepare a
detailed Response Plan, including the detail of how you intend to implement the
proposed responses. Here we would suggest that all corrective and preventive
action plans be closed within 90 days of completion of the audit. The goal is
to drive each region or business unit audited to adhere with your company's
compliance program, as we believe that this provides the best path to positive
change over the long term.
You should set out the time frame to accomplish the tasks
which may need remediation. There should be specific assignments of
responsibility made to handle the designated tasks. If required or called for
you should have interim progress made on the tasks assigned. Finally, there
should be a final report on the results of your implementation plan.
An ongoing question in this phase is whether or not to
administer discipline. Some feel that if discipline is administered as a result
of audit findings, the result will be less than forthcoming cooperation in the
next round of audits and assessments. However, I am a firm believer that if
disciplinary action is warranted it needs to be applied consistently. This
means that if information was received in any manner other than under an
amnesty program and discipline is warranted, you should discipline employees
for compliance violations just as you would if the information came in through
a mechanism other than an audit. As with any corporate discipline, it should be
administered fairly, in accordance with company policy. One thing to keep in
mind is that discipline must be meted out consistently, across the company on a
world- wide basis, for example if you terminate employees in South America for
intentional misrepresentations on travel and entertainment accounts, you must
do the same for US employees.
The final question we will explore is who should get the
report? There is usually dynamic tension between the Legal Department, which
desires to restrict access, and the Compliance group, which believes it can be
used as a teaching tool from which to learn valuable lessons. Initially, the
Final Report should be reviewed and approved by all Triage or compliance
oversight committee members as it should be sent to the Company's Board of
Directors or Audit Committee. You will also need to share the full report with
the local management of the region or business unit which was audited. Any
individuals who receive discipline, sanctions, or any type of counseling for
issues that were uncovered by the audit should also receive the report portions
which relate to them.
Visit the FCPA Compliance and Ethics Blog,
hosted by Thomas Fox, for more commentary on FCPA compliance, indemnities and
other forms of risk management for a worldwide energy practice, tax issues
faced by multi-national US companies, insurance coverage issues and protection
of trade secrets.
This publication contains general information
only and is based on the experiences and research of the author. The author is
not, by means of this publication, rendering business, legal advice, or other
professional advice or services. This publication is not a substitute for such
legal advice or services, nor should it be used as a basis for any decision or
action that may affect your business. Before making any decision or taking any
action that may affect your business, you should consult a qualified legal
advisor. The author, his affiliates, and related entities shall not be
responsible for any loss sustained by any person or entity that relies on this
publication. The Author gives his permission to link, post, distribute, or
reference this article for any lawful purpose, provided attribution is made to
the author. The author can be reached at email@example.com.
© Thomas R. Fox, 2011
For more information about LexisNexis
products and solutions connect with us through our corporate site.