At the request of subscribers, Compliance Week offers a Remediation Center, in which readers can submit questions—anonymously—to securities and accounting experts. Compliance Week’s editors will review all questions and then submit them—confidentially, of course—to specialists who can address the issues. The questions and responses will then be reprinted in a future edition of Compliance Week. Below is one of the Q&As; ask your own questions by clicking here.
QUESTION
We’ve seen a lot of attention from regulators and prosecutors recently focused on the Foreign Corrupt Practices Act. Could you tell me what the interplay is between the FCPA and Sarbanes-Oxley, particularly sections 302 and 404?
ANSWER
Albert Vondra—Thirty years after the enactment of the Foreign Corrupt Practices Act, it remains in the spotlight of regulators as more U.S. and foreign private issuers fall afoul of its provisions. More recently, there has been a global focus on preventing bribery. In 1998, the Organization for Economic Co-operation and Development adopted its Convention on Combating Bribery of Foreign Public Officials in Business Transactions. As of November 2005, the convention had 36 country members including Germany, Italy, the United Kingdom, and the United States.
Despite the high costs of implementing Section 404 to document and ensure effective internal controls, anti-bribery compliance programs may have been overlooked and in some instances been ignored completely when conducting the organization’s risk assessment. Now, failure to establish and uniformly implement the anti-bribery compliance controls that have since emerged as best practices for FCPA compliance may expose such companies to additional risk.
These risks, if not effectively identified and monitored, may result in ineffective Section 302 certifications—which attest to the accuracy and documentation of corporate financial reports—that CEOs and CFOs file with the Securities and Exchange Commission. Additionally, as required by Section 404, all annual financial reports must include a report on internal controls stating that management is responsible for an “adequate” internal control structure, and an assessment by management of the effectiveness of the control structure. Any shortcomings in anti-bribery controls must be reported.
In today’s regulatory climate, an effective and fully functioning anti-bribery compliance program is an integral part of demonstrating the “adequate” internal control structure required by Section 404. The FCPA itself does not articulate specific requirements for an FCPA compliance program. Still, a “common law” of FCPA compliance best practices has emerged, not from judicial decisions, but from U.S. government advisory opinions and the terms of settlement agreements that resolve SEC or Justice Department enforcement actions. The suggestions and questions below highlight some of the key areas to ensure the appropriate consistency between FCPA and Section 404 compliance.
Ensure that the design of the FCPA compliance-control environment communicates the right tone and structure.
Has your company adopted a clear corporate ethics policy that prohibits conduct that violates the FCPA and other applicable anti-bribery laws, and establishes compliance standards and procedures that are reasonably capable of reducing the prospect of violations?
Are compliance criteria clearly embedded within the hiring, reward, promotion, and disciplinary processes of managers?
Is responsibility for the anti-bribery compliance program assigned to appropriate senior managers?
Are there discussions on compliance risks and exceptions at the board and audit-committee levels at least once every quarter?
Identify and focus on the most important FCPA compliance risks.
Has an effective risk assessment been completed to determine high-risk regions or countries to prioritize the completion of rigorous and periodic FCPA audits of operations?
What is the volume of business involving sales with procurement agents and intermediaries?
Design and implement FCPA compliance-control activities to minimize the risk of noncompliance.
Do you provide regular training concerning the requirements of the FCPA and other applicable anti-bribery laws for officers, employees, agents, consultants, joint-venture partners, and even distributors as soon as practicable following their retention and periodically thereafter, and require them to sign annual statements of compliance?
Have corporate procedures been adopted to include a due-diligence inquiry search whose results are memorialized to ensure that the company forms business relationships only with reputable agents, consultants, joint-venture partners, and distributors? Has a compliance committee been established to review the retention of such individuals and entities and all contracts related thereto?
Do all contracts with agents, consultants, joint-venture partners, and distributors include: (1) a guarantee that they shall not retain any sub-agent or representative without the prior written consent of the company; (2) provisions for audit rights; and (3) provisions for the termination of the contract or agreement as a result of any breach of such undertakings, representations, and agreements?
Establish processes and systems to support FCPA compliance.
Is a system in place by which officers, employees, agents, consultants, joint-venture partners, and distributors can report suspected violations without fear of retribution?
Have appropriate disciplinary mechanisms for violations or failure to detect violations of company policy or the law been implemented?
Are trends in risk captured and monitored, and are policies and procedures updated to mitigate those risks?
Establish comprehensive FCPA compliance-monitoring functions and programs that are independently tested.
Does the company invest in sufficient resources that test compliance efforts?
Do the FCPA audits include: 1) detailed audits of the operating unit’s books and records, with specific attention to payments and commissions to agents, consultants, and sub-contractors, and contributors to joint ventures; 2) audits of selected agents, consultants, sub-contractors, and joint ventures, where authorized by the governing contract or retention agreement; and 3) interviews with relevant employees, consultants, agents, sub-contractors, and joint-venture partners?
The SEC expects companies to apply a top-down, risk-based approach to Section 404. Answering any of the above questions without 100 percent confidence may indicate a deficiency in controls. Every precaution should be taken to avoid compliance failures, making an effective and fully functioning compliance program a requirement for companies entering into transactions with foreign governments or government-related officials.
Allowing managers to “deal with the problem” is no longer defensible, and attention should be paid even to apparently minor infractions of compliance policies and procedures. Small deviations or intentional noncompliance are key indicators of deficiencies in an organization’s internal control structure, which may lead to a future scandal. History has shown that compliance breakdowns can be prevented when senior management in sales and procurement and departments charged with gate-keeping—including, accounting and reporting, Office of General Counsel, internal audit, and corporate compliance—lead the charge to imbed compliance within the organization and remained actively involved to ensure an effective compliance program.
The best advice for CEOs and CFOs signing Section 302 certifications and audit committees discharging their fiduciary responsibilities can be boiled down to three points. First, address key questions to all parties, insisting on full, transparent disclosure of all misconduct and known control weaknesses; second, treat ethics and compliance as a strategic investment imperative with the goal to have a “zero-tolerance” policy towards misconduct; and third, get protection through internal certifications, due process, and an independent review of organizational compliance policies and procedures.
No comments yet