January 11, 2011
Note: The draft guidance is not prescriptive and does not detail specific anti-bribery measures, but instead adopts a principles-based approach, which is intended to be used as a guide by a company when implementing their own anti-bribery compliance programs.
The audit committee is responsible for overseeing the financial reporting process and controls, the internal audit function, and the external auditors, including the appointment of the company’s external auditor. It oversees management’s implementation of policies that are intended to foster an ethical environment and mitigate financial reporting risks. In this process, the audit committee has the responsibility to see that management designs, documents, and operates effective controls to reduce the risk of financial reporting fraud to an acceptable level. The Sarbanes-Oxley Act also makes the audit committee responsible for establishing mechanisms for the receipt, retention, and treatment of complaints received by the company regarding accounting, internal accounting controls, or audit matters, and confidential, anonymous submissions by employees of concerns regarding questionable accounting and auditing matters (generally referred to as the ethics or whistleblower program).
In addition, it is increasingly common for the audit committee to have a link with the compensation committee through overlapping members, joint meetings, or attendance of the audit committee chair at certain compensation committee meetings. The objective of this process is to satisfy both committees that the executive compensation structure provides sound incentives for achieving corporate strategies without unintentionally providing motivations for fraud or other unethical behavior. The focus on compensation structures will likely increase as a result of legislation and regulatory rules regarding corporate compensation policies and practices.
Source: Center for Audit Quality Anti-Fraud Report: Deterring and Detecting Financial Reporting Fraud: A Platform for Action
1. Top level commitment – “Tone and Conduct from The Top”
• Top-level management (usually the board of directors and senior executives) must establish a culture within their company in which bribery is unacceptable. They also should ensure that the company’s policy to operate without bribery is effectively communicated throughout the company. The draft guidance provides examples of what top-level commitment should include:
• A “zero tolerance policy” toward bribery in all parts of the company’s operation;
• Clear explanation of the consequences that employees and business partners will suffer if they violate the corporate policy;
• Personal involvement in the development of a code of conduct, or ensuring the publication and communication of anti-bribery measures to all employees, subsidiaries and business partners; and,
• Appointing a senior manager to oversee the development of an effective anti-bribery program.
• “Top level commitment” is another commonly identified element of an effective compliance program. This principle, as articulated in the draft guidance, appears to combine the requirement of a strong “tone at the top,” noted by almost every respected guide on compliance programs from the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) to the US Department of Justice, and the need for a clear, firm anti-bribery policy—a principle also widely endorsed in the compliance literature and by governmental organizations.
2. Corruption and Bribery Risk Assessment
The OECD Good Practice states that a compliance program should be developed on the basis of a risk assessment.
Conduct a comprehensive review of the company and assess the potential bribery and corruption risks associated with its products and services, customers, third-party business partners and geographic locations where it operates.
The risk assessment can serve as the documented rationale for the compliance program.
Businesses must be aware of the current bribery risks they face in the sectors and markets in which they operate. The proper nature of any risk assessment procedures will depend on the size of the company, as well as its activities, customers and markets. But company’s are generally advised to consider the following:
Whether those performing the risk assessment are “adequately skilled“; and,
What data sources should inform the risk assessment. The draft guidance suggests the use of internal data (annual audit reports, internal investigation reports, focus groups and staff, client or customer complaints) and external data (analyzing publicly available information on bribery issues in particular sectors or jurisdictions).
For multinational corporations already subject to the US Foreign Corrupt Practices Act (“FCPA”) and other anti-bribery enforcement regimes, this requirement should be no surprise. Section 8B2.1 of the US Sentencing Guidelines for Organizations already list periodic risk assessments as a component of an effective compliance program. And the OECD’s Working Group on Bribery in International Business Transactions issued guidance in November 2009 that similarly advised risk assessments as a good practice for companies. Regardless of official guidance, no company can properly design a compliance program without identifying and understanding the risks it wishes to guard against.
3. Internal Controls
• Most companies struggle with designing fraud controls and implementing mitigating controls to support their internal anti-bribery and anti-corruption policies.
• Develop, document and maintain a system of internal financial controls to ensure that all payments are accurately recorded in the company’s books and records in accordance with applicable regulatory requirements.
• Special attention should be paid to those areas that may directly affect the anti-bribery and corruption compliance program such as procurement, on-boarding of vendors, agents, consultants, and other third-party business payees.
• Gifts and entertainment controls. Managing the offering and receiving of corporate gifts, entertainment and travel has become increasingly important in today’s environment of increasing regulatory oversight. Gifts given with the best of intention can be incorrectly perceived and lead to millions of dollars in government fines, as well as loss of potential business.
4. Structuring and Defining Roles & Responsibilities
• Anti-corruption director (See Daimler)
• Chief Compliance Officer or Other Senior Corporate Official
• The assignment of responsibility to one or more senior corporate officials of implementation (see discussion within), oversight of compliance with policies, standards and procedures FCPA and other applicable anti-corruption official (the authority to report matters directly to the Board.
• Understanding the US Sentencing Guidelines changes that became effective on November 1, 2010, and included a change related to the Direct Report. The amendment changed the reporting structure in companies where the Chief Compliance Officer (CCO) reports to the General Counsel (GC) rather than a committee on the Board of Directors. The change reads “the individual…with operational responsibility for the compliance and ethics program…have direct reporting obligations to the governing authority or any appropriate subgroup… (e.g. an audit committee or the board of directors)”. If a company has the CCO reporting to the GC, who then reports to the Board, such structure may not qualify as an effective compliance and ethics program under the amended Sentencing Guidelines. The better practice would now appear to be that the CCO should be a direct report to the Board or appropriate subcommittee of the Board such as compliance or audit.
5. Risk-based Third Party Due Diligence
• Develop and document an investigative due diligence protocol that will assess the potential bribery and corruption risks associated with third parties such as vendors, consultants, suppliers, agents and joint venture partners.
• The nature and extent of the investigative due diligence should be based on the third party’s risk profile.
• The protocol should set forth the remedial steps that may be taken for those parties that represent an elevated risk of bribery and corruption, including, but not limited to escalated due diligence or the termination of the relationship.
Types or Levels of Due diligence (Sample)
• Basic: simple database checks
• Medium: more in-depth review
• High: reputation checks, site visits, forensic review of financial statements, and investigative procedures outside the US
6. Clear, Practical, Current, And Accessible Policies And Procedures
• There should be a clearly articulated policy against bribery and corruption that enforces a tone of compliance from the board and management.
• Procedures and processes that clearly set forth permitted and prohibited conduct, supervisory and compliance approvals for certain conduct and documentation of such approvals.
7. Documenting a Detailed Multi-year Compliance Plan
Companies must embed anti-bribery policies and procedures throughout the business, in other words it must be operationalized. “Paper compliance” is insufficient. Companies should consider establishing an implementation strategy detailing the rollout of these policies and procedures:
• Who bears responsibility for program implementation;
• How to communicate the policies and procedures internally and externally;
• The content and nature of anti-bribery training and how to roll it out effectively;
• How senior management will monitor the program’s implementation;
• Whether and how the company will use external assurance processes;
• The processes for monitoring compliance;
• The implementation timetable;
• An explicit statement of penalties for violating relevant anti-bribery policies and procedures;
• The date of the program’s next review; and
• A decision on whether to require or suggest that business partners take part in anti-corruption training courses.
Warning! “Paper Compliance” is insufficient echoes warnings issued numerous times by US enforcement officials. Indeed, US Deputy Attorney General Mark Filip’s famous 2008 memorandum on prosecuting business organizations explicitly cautions that a mere “paper program,” lacking the necessary design, implementation, and review, will not protect a company from prosecution.
8. Appropriate Disciplinary Procedures To Address Violations
Appropriate and consistent disciplinary procedures to address, among other things, violations of FCPA, UK Bribery Act, and other applicable anti-corruption laws or compliance code by directors, agents and business partners.
9. Ensuring Robust Monitoring and Review (Utilizing Internal Audit & Compliance)
• Develop and document processes and/or controls to periodically assess the effectiveness of the compliance program and potential vulnerabilities and monitor for employee compliance.
• Such processes may include periodic testing and validation, review of available metrics and design of self-assessment forms and exercises.
Develop training materials that clearly and concisely interpret applicable legal, regulatory, policy and procedural requirements as well as the possible ramifications associated with non-compliance. The training materials should be reviewed periodically to ensure their continued adequacy.
Training should be provided regularly to senior management and key compliance and business personnel.
11. An Effective System for Reporting Suspected Criminal Conduct and/or Violations of the Applicable Anticorruption Laws for Directors, Employees, Agents and Business Partners.
Develop and maintain a system for receiving complaints (all types) containing allegations of bribery and corruption as well as a system to investigate such allegations and document the actions taken with respect to such complaints and investigations.
12. Other Risk Mitigation Procedures
Standard provisions in contracts and agreements that include at a minimum:
• Anti-corruption representations and undertakings relating to compliance with FCPA, UK Bribery Act and other applicable anti-corruption laws;
• Rights to conduct audits of the books and records; and
• Rights to terminate as a result of any violation of anti-corruption laws, and regulations or representations and undertakings related to such matters.
13. Annual Testing of The Compliance Program
The US Sentencing Guidelines state that there should be periodic reviews of a company’s compliance program, utilizing internal resources, such as a company’s Internal Audit function, and outside professional consultants. (emphasis added)
The OECD Good Practice states that a compliance program should be developed on the basis of a risk assessment addressing the individual circumstances of a company, in particular the foreign bribery risks facing the company (such as its geographical and industrial sector of operation). Such circumstances and risks should be regularly monitored, re-assessed, and adapted as necessary to ensure the continued effectiveness of the company’s internal controls, ethics, and compliance program or measures.
The UK Bribery Act Consultative Guidance, recently released by the UK Ministry of Justice, requires ongoing risk review, monitoring, and review by noting that a compliance program and procedures should be reviewed regularly and encourages senior management of higher risk and larger companies to consider external verification or assurance of the effectiveness of anti-bribery policies.
In a recent speech, Assistant Attorney General for the Criminal Division of the US Department of Justice, Lanny Breuer, indicated that such an external verification or assurance of the effectiveness of a compliance program is a key component to assist a company in maintaining a ‘best practices’ FCPA compliance program. He noted that it is through a mechanism such as an ongoing assessment that company could continue to evaluate its own compliance program with reference to compliance standards, which are evolving. Breuer has advocated an annual compliance program assessment by each company and I do as well.
Higher risk and larger companies should consider external verification or assurance of the effectiveness of anti-bribery policies.
Not updated for new guidance or leading practices.