A reader recently commented that most companies know "what to do" when it comes to FCPA anti-bribery compliance training, but that when it comes to FCPA books and records and internal controls compliance training most people "scratch their heads."
Below, I offer some thoughts on books and records and internal controls compliance training, but by no means does this cover the entire landscape.
I think the reader is correct in that most companies do in fact focus compliance efforts (if they have pro-active compliance efforts - see here) on the FCPA's anti-bribery provisions. The FCPA's other prong - the books and records and internal control provisions are usually mentioned (if at all) in passing.
An explanation for why likely has to do with the statute itself.
The anti-bribery provisions have specific elements tied to things we can all generally understand such as - things of value, foreign official, and obtain or retain business - and companies can easily tailor compliance training to those elements, or it is probably more accurate to say, DOJ and SEC's interpretations of those elements.
In contrast, the FCPA's book and records and internal control provisions are rather generic and have key terms such as "reasonable detail," "accurately and fairly," "sufficient," "reasonable assurances, and "general or specific authorization."
Tailoring compliance training to such general concepts can be difficult. Moreover, the books and records, and internal control provisions apply to issuers in ALL instances, not just those instances in which the company is doing business or seeking business abroad. Thus, it may be more difficult to frame books and records and internal control issues to training, because the provisions apply to everything an issuer does.
Against this backdrop, what works best I think is to view FCPA compliance as not just a task that company lawyers and selected key positions from an anti-bribery perspective (i.e. sales, marketing, business development) need to be concerned with, but rather a task that internal audit and finance should also be concerned with and actively involved in as well.
This means that internal audit and finance personnel must be specifically trained to approach their specific job functions not only in a traditional way, but also with "FCPA goggles" on.
It is clear from recent FCPA enforcement actions that the SEC expects much more from non-legal personnel when it comes to FCPA compliance, including the ability to spot FCPA issues and display a high degree of (I'll call it) intellectual curiosity as to certain issues.
For instance, in the 2007 York matter, the SEC alleged in its civil complaint (see here at para 51) that (i) "York International's management had the ability to review or cause internal audit to review [the problematic contracts] and, had this been done, it would have been immediately apparant that the consultancy agreements were a sham; and (ii) it was "clear that local finance personnel did not provide an independent internal control function, but rather acquiesced in questionable practices and documentation without critical review."
Again, because the FCPA's books and records and internal control provisions are rather generic, I think a "best practice" (not only for issuers, but for any company) is to specifically train internal audit and finance personnel to view their job with "FCPA goggles" on.
This means that internal audit and finance personnel should:
(1) Understand the broad interpretations given to the anything of value, foreign official, and obtain or retain business elements of anti-bribery violation so that they clearly understand that conduct other than a "suitcase full of cash to a government official to get a government contract" is problematic. For instance,
excessive travel and marketing expenses, payment of scholarships, etc. can be things of value. Internal audit and finance personnel also need to understand that employees of state-owned or state-controlled companies are considered "foreign officials" by DOJ/SEC (even if that interpretation has not been tested or challenged). This means that things a company does to "wine and dine" its purely private customers can become problematic when state-owned or state-controlled customers receive the same treatment. In terms of state-owned or state-controlled customers, it is also a good idea for a company to maintain a roster of such entities so that heightened review will be triggered when any corporate personnel deals with such customers or prospective customers. Internal audit and finance personnel also need to understand that payments which result in a company securing a foreign license, permit, or certification can satisfy the "obtain or retain business" element of an anti-bribery violation on the theory that such payments help the company, in the general sense, obtain or retain business.
(2) Pay particular attention to employee reimbursement requests and think about FCPA issues in connection with these requests. For instance, if a specific sales and marketing employee is the designated "wine and dine" person, is there any heightened scrutiny of that individuals reimbursement requests?
(3) Be aware of the FCPA's third-party payment provisions and be able to spot (and follow-up on) the following issues relevant to engaging and supervising a foreign agent or representative: payments made to personal (rather than company) bank accounts; payments to off-shore bank accounts; payments which could be made in one lump sum but are split up to avoid detection; and payments made to an account in a country different than where the service provider is located. When utilizing third parties, commission payments are obviously a big FCPA risk. Thus, internal audit and finance personnel need to ask what steps the company has taken to assure itself that the commission payments are reasonable. Moreover, such personnel should specifically look for evidence that the third party actually provided legitimate value-added services before payment was made by the company.
(4) Figure out who within the company, the relevant business unit, etc. has the authority to authorize large payments and make sure those authorizations are scrutinized. Because of title, prestige and in some countries - gender - certain individuals are subjected to less oversight and scrutiny when it comes to authorizing payments. If any such trends or patterns emerge within a company as to this issue, internal audit and finance personnel must be diligent in understanding why.
(5)Pay particular attention to the following accounts (all of which, per recent FCPA enforcement actions, were used to conceal improper payments) - "additional assessments," "extra costs," "extraordinary expenses," "urgent processing," "urgent dispatch," "customs processing," "importation advances," . These accounts, and all other accounts described in a vague or ambiguous manner, should be subject to heightened scrutiny by internal audit and finance personnel.
Back to the original issue raised by the reader as to how best to offer FCPA books and records, and internal controls compliance training. Again, because the books and records and internal control provisions are so generic, I think the "best practice" is to couple such training with anti-bribery training and to make sure that internal audit and finance personnel have the FCPA tools necessary to properly execute their jobs.
Internal audit and finance personnel clearly have an FCPA compliance role to play, and the SEC is clearly expecting them to play that role. However, internal audit and finance personnel can only raise FCPA issues if they first know what FCPA issues to look for. Providing internal audit and finance personnel with a good pair of "FCPA goggles" is a good way to achieve books and records, and internal controls compliance.