Knowledge Briefing

Internal Auditing and the Foreign Corrupt Practices Act

April 2010

i
Disclaimer
Copyright © 2010 by The Institute of Internal Auditors located at 247 Maitland Avenue, Altamonte
Springs, FL 32701, U.S.A. All rights reserved. Published in the United States of America.

Except for the purposes intended by this publication, readers of this document may not
reproduce, redistribute, display, rent, lend, resell, commercially exploit, or adapt the statistical and
other data contained herein without the permission of The IIA.

The information included in this document is general in nature and is not intended to address any
particular individual, internal audit activity, or organization. Based on the date of issuance and
changing environments, no individual, internal audit activity, or organization should act on the
information provided in this document without appropriate consultation or examination.

About This Report

As part of its services, The IIA will publish a series of reports on topics of appeal to chief audit
executives (CAEs) and other internal auditors that provide leading practices based on survey
results and other recommendations from audit professionals in the field.

Please note that The IIA surveys referenced in this report are not statistically based and their
results are not representative of the entire population of internal auditors. Rather, they are
benchmarking surveys based on the responses of CAEs and other internal audit professionals
who are members of The IIA‘s Global Audit Information Network (GAIN). In addition, results from
these surveys are solely intended to provide information (i.e., tools, resources, and/or other
knowledge) that is based on the responses of survey participants only.

ii
Table of Contents

About This Report ............................................................................................................................. ii

Executive Summary .......................................................................................................................... 1

Leading Practices ...................................................................................................................... 2

Overview of the U.S. Foreign Corrupt Practices Act ......................................................................... 5

Recommendations for Effective FCPA Internal Audits ...................................................................... 7

Recommendations for Organizational Compliance ......................................................................... 11

Recommendations for Audit Committees ........................................................................................ 13

Emerging FCPA Compliance Trends .............................................................................................. 15

Key Survey Findings............................................................................................................... 15

Resources ....................................................................................................................................... 21
Official FCPA Information .................................................................................................... 21
Online Articles and Other Resources ................................................................................... 21

iii
Executive Summary
In 1977, the U.S. Congress enacted the
U.S. Foreign Corrupt Practices Act (FCPA).
The act is known primarily for two of its
main provisions: one that addresses
accounting transparency requirements
under the U.S. Securities Exchange Act of
1934 and another for its anti-bribery
provisions concerning foreign officials.
Although the FCPA had a great level of
impact on internal audit activities during the
first couple of years after its enactment,
interest dwindled during the 1980s as a new
generation of internal auditors emerged.
However, attention to the legislation has
flourished once more among chief audit
executives (CAEs) and internal auditors
given the recent emphasis the U.S.
Department of Justice (DOJ) and U.S.
Securities and Exchange Commission
(SEC) are placing on the legislation.
During the past couple of years, the DOJ
and SEC have stepped up their efforts to
monitor compliance with the FCPA, leading
to an increase in the number of cases
brought against individuals and
organizations. This greater emphasis has
led to an increase in the number of
noncompliance enforcement acts, including
a US $1.6 billion fine settlement in 2009 by
Siemens AG to U.S. and German
1 pertaining to FCPA compliance efforts include ensuring
regulators.
More specifically, this increased focus has
led to the development of:
A specialized FCPA enforcement
unit.
New approaches to uncover and
prosecute fraud.
Greater multi-jurisdictional coordination.
Increases in fines, penalties, and recovery of proceeds.
Key FCPA Recommendations Discussed
in the Knowledge Briefing
The following leading practices and recommendations are
explored in this Knowledge Briefing and can help CAEs and
other internal auditors ensure their organization’s anti-
corruption prevention and detection efforts pay close
attention to this important legislation:
Recommendations for internal auditors include making
sure controls are properly designed, well established,
and documented; coordinating FCPA and financial
reporting control reviews; performing a risk assessment
that identifies FCPA compliance risks; incorporating
FCPA screenings as part of planned compliance audits;
determining if the organization is providing training to
employees dealing with FCPA compliance; and
performing testing procedures as a scope area in audit
engagements.
Recommendations for assessing FCPA risk areas
include evaluating policies and procedures; analyzing
risk factors; brainstorming potential violation schemes;
and assessing the likelihood, significance, and
pervasiveness of FCPA issues.
Recommendations for organizationwide compliance
initiatives include implementing policies and procedures
that identify corrupt practices, performing employee
training, and monitoring procedures that identify when
FCPA issues may occur.
Recommendations for audit committee members
the organization’s code of conduct and policies outline
the steps needed to achieve FCPA compliance;
determining whether legal counsel and the CAE have
access to expertise on FCPA issues; and assessing
if FCPA testing is incorporated into the audit plan and
risk assessments.

Furthermore, when fraud or bribery is found authorities now question what specific controls were
in place for detecting FCPA violations and the CEO‘s, chief financial officer‘s (CFO‘s), and CAE‘s
involvement in the failure to detect and prevent FCPA risk in the organization.

1
Compliance Week, ―Siemens Teaches Cos. FCPA Dos and Don’ts,‖ www.complianceweek.com/article/5234/siemens-
teaches-cos-fcpa-dos-and-don-ts

1
Leading Practices
Following is a summary of the recommendations and leading practices discussed in this
Knowledge Briefing obtained from CAEs and other sources of information:

Recommendations for Internal Audit Activities. To ensure internal auditors are adding value
to their organization‘s FCPA compliance efforts, CAEs should:

Ensure the internal audit activity is part of the compliance program during the beginning
stages to make sure controls are properly designed, well established, and documented.
Recommend that the organization applies the Open Compliance and Ethic Group‘s
2
(OCEG‘s) GRC Capability Model, which can help organizations mature their approach to
anti-corruption.
Coordinate financial reporting control reviews and FCPA audits that look into anti-
corruption processes, if these are separate activities.
Perform a risk assessment that identifies FCPA compliance risks.
Incorporate FCPA screenings as part of planned compliance audits.
Determine if the organization is providing training and education to employees dealing
with FCPA compliance. This includes mandatory training sessions for all internal auditors.
Perform testing procedures as a scope area in internal audit engagements to confirm
whether fraud controls and processes are working as intended or whether vulnerabilities
exist.

Assessing FCPA Risk. Risk assessments often start with an evaluation of policies and
procedures; an analysis of risk factors; the brainstorming of potential violation schemes; and an
assessment of the likelihood, significance, and pervasiveness of FCPA risks. For more detailed
analysis, however, internal auditors can consider the following qualitative and quantitative risk
factors as part of the annual risk assessment effort:

The history of industry and company FCPA violations.

The company‘s geographic location and its corruption rating from Transparency
International.
Each country‘s anti-corruption enforcement level and ongoing investigations or schemes.
Business unit susceptibility to FCPA violations related to the use of third parties.
Employee, vendor, and agent knowledge and awareness of FCPA rules.
Findings from previous transaction tests, audits, surveys, and hotlines.
Previous internal control deficiencies.
Recent business unit changes in management or business composition.
International business unit revenues.
The dollar amount and percentage of government business activities.
The number and dollar amount of accounts payable transactions.
Payments to third parties including sales agents and commercial agents.
Payments for professional services and discretionary, noninventory spending.
Growth rates.
Budget to actual variances and the nature of time and expense reporting.

2
GRC stands for governance, risk, and compliance.

2
Recommendations for Organizationwide Compliance Initiatives. At a minimum, FCPA
3
compliance programs should have the following elements:

Clearly written policies and procedures that identify what is expected from employees
and business partners with regards to anti-corruption compliance.
Human capital controls, including employee training.
Monitoring and reporting procedures, such as establishing an executive-level FCPA
review committee or an FCPA compliance officer or ombudsman, and developing
screening methods, checklists, and questionnaires to identify when FCPA issues may
occur and for use internally and with third-parties.

Recommendations for Audit Committees. The audit committee plays a vital role helping the
organization assess the effectiveness of FCPA compliance efforts and ensuring risks are taken
into consideration that could hinder compliance with the legislation. Consequently, the audit
committee should:

Inquire the CEO and CFO about the FCPA compliance program, including whether the
organization‘s code of conduct and policies outline the steps needed to achieve FCPA
compliance.
Inquire the CEO, CFO, legal counsel, and the CAE on the organization‘s plan should a
violation occur as well as the process for disclosures and their timing.
Determine whether legal counsel and the CAE have access to expertise on FCPA issues,
including the involvement of a third party that can provide recommendations to enhance the
FCPA program‘s effectiveness.
Assess whether FCPA testing is incorporated into an internal audit program and risk
assessment.
Ask senior management to provide evidence on the existence of:
o A unified risk matrix that identifies and assesses corruption of fraud risk situations and
the controls established for each.
o A mechanism to monitor compliance with the anti-corruption program.
o Documentation of change management controls, if needed.
Make sure there is a management process in place that moves things through in a timely
fashion in the event that a fraudulent event is identified.
Ascertain whether the organization‘s executive compensation policy clearly states how
incentive-based pay will be determined and allocated.
Ensure FCPA compliance is included as part of the enterprise risk management (ERM)
program, especially if the organization performs business transactions internationally.
Request that management obtain and present OCEG certification of the design and ultimate
implementation of the anti-corruption program.

Benchmarking of FCPA Activities. Finally, The IIA performed a survey among GAIN members
to obtain information regarding compliance efforts with the FCPA. The survey identified the
following four key findings:

FCPA compliance efforts are taking a more prominent role organizationwide.

Internal auditors are becoming key players in their organization‘s FCPA compliance
efforts.

3
DOJ Opinion Procedure Release 04-02, www.justice.gov/criminal/fraud/fcpa/opinion/2004/0402.pdf
(PDF, 23.6 KB) lists 12 elements for an effective anti-bribery compliance code, (PDF, 23.6 KB).

3
 Training and coordination of compliance activities were identified as the top practices in
ensuring compliance with the FCPA.
Risks assessments are a key component of the organization‘s FCPA compliance efforts.

This Knowledge Briefing explores each of these leading practices, recommendations, and survey
results in more detail.

4
Overview of the U.S. Foreign Corrupt Practices Act
The FCPA, which was first enacted in 1977
and revised in 1988, prohibits payments to
non-U.S. officials for the purpose of
obtaining business, and mandates that
books and records be maintained to
reasonably assure that no such payments
are made. The act applies to U.S. citizens
or residents and any organization that has a
class of securities registered or that is
required to file reports under the U.S.
Securities and Exchange Act. In particular,
the FCPA addresses two fundamental
areas:
The anti-bribery provision makes it
unlawful to make corrupt payments
to a foreign official for the purpose
of obtaining or retaining business or
for directing business.
The books and records provision
requires companies that file reports
with the SEC to keep books and
records that fairly and accurately
reflect business transactions and
maintain an adequate system of
internal accounting controls.
Corporate interest in the FCPA has
exploded in recent years given the DOJ‘s
greater emphasis on the legislation.
However, many internal auditors and
executive managers are still unaware of the
repercussions noncompliance with this
important legislation could have on the
organization.
―The challenge for the internal audit
profession is that most internal auditors
were not around in 1977 when the act first
came out,‖ says Larry Harrington, CIA, vice
president of internal audit for defense
technology contractor Raytheon Co. based
in Waltham, Mass. ―However, the DOJ‘s
and SEC‘s increasing level of attention to
the FCPA during the past couple of years
has created more corporate awareness and, consequently, training opportunities for internal
auditors and companies in general.‖
The FCPA and Federal Sentencing Guidelines
During the mid-1980s, the U.S. Sentencing Commission
created the Federal Sentencing Guidelines for
Organizations. “The guidelines were enacted to provide
guidance and a level of consistency for federal judges in
imposing penalties on individuals and corporations found
guilty of violating federal criminal laws including the FCPA,”
explains Gary Fair, vice president of corporate internal audit
for New Jersey-based Johnson & Johnson. “The guidelines
outline aggravating and mitigating factors for the court to
consider in setting the appropriate punishment for an FCPA
violation. These factors, in turn, can provide guidance in
establishing and assessing FCPA compliance programs.”
In particular, the Federal Sentencing Guidelines require
federal courts handing down criminal sanctions to take into
account the implementation of an effective corporate
compliance program. Therefore, if an organization has a
robust FCPA compliance program that follows the Federal
Sentencing Guidelines’ recommendations and there is a
noncompliance problem, the DOJ might show leniency when
deciding the amount of fines to be paid.
However, if the organization is in noncompliance with the
FCPA and does not follow the Federal Sentencing
Guidelines, then the fine may be up to twice the benefit that
the organization or defendant sought to obtain by making the
corrupt payment. For instance, in previous FCPA
compliance cases, the presence of an effective compliance
program has significantly reduced settlements by as much
as 95 percent.
“The Federal Sentencing Guidelines set forth harsh
penalties for corporations whose employees violate federal
criminal law such as the FCPA,” adds Cindi Hook, vice
president of global audit and transformation for Texas-based
Dell Inc. “As with any compliance program, it is prudent for
organizations to build FCPA compliance programs that
incorporate all the effective elements established by the
Federal Sentencing Guidelines into their ethics and
compliance programs.”
5
According to Harrington, the increased government oversight on FCPA compliance efforts also
is having a profound impact on organizations across the United States. During the first 25 years
after the act‘s enactment, there were 17 enforcement actions compared to 40 in 2008 and 120
in 2009 — a 200 percent increase in the number of fines given within a 12-month period alone. In
addition, corporate officers are serving jail time for up to five years, and organizations can pay up
to US $25 million for accounting books and records violations and US $2 million in fines involving
bribes.

Cindi Hook, vice president of global audit and transformation for Texas-based Dell Inc., agrees
with Harrington. As Hook explains, although internal auditors have historically audited for FCPA
compliance since enactment of the law in 1977, recently internal auditors have enhanced their
FCPA audit programs given the increasing reliance of U.S.-based organizations on foreign
operations and the harsher penalties for noncompliance. A prime example of these tougher
penalties is the recent US $185 million deal automaker Daimler has agreed to pay in fines as a
direct result of the organization‘s lack of enforcement with its code of integrity, which included
4
anti-bribery provisions.

―This increase in enforcement actions and fines clearly shows that the FCPA is a top issue for the
DOJ, and should be a top priority for any organization performing business outside the United
States,‖ says Harrington. ―Although it is hard to get the necessary evidence to prosecute
individuals and organizations that engage in bribes and illegal payments, DOJ is using books and
records to prosecute companies as these are hard to cover up.‖

Compliance with anti-corruption laws and regulations extends outside the United States as well.
Europe and other parts of the world have similar legislation to the FCPA. Anti-corruption
legislation in Europe, for instance, doesn‘t allow facilitation payments and the ramifications of
noncompliance are more profound. Germany is also the most active enforcer behind the United
States. Consequently, Harrington expects that FCPA compliance mandates will be tightened
even more within the next couple of years.

4
The Associated Press, ―Daimler Bribes: A Blown Chance to Clean Up Its Act‖ (April 1, 2010),
www.google.com/hostednews/ap/article/ALeqM5hgUeBg0DEtawEb6oOAZK4JdQ1Q_gD9EQ9RSG0

6
Recommendations for Effective FCPA Internal Audits
According to Carole Switzer, president of
OCEG, a nonprofit organization that offers
governance, risk, and compliance guidance,
FCPA compliance programs should be no
different than other compliance initiatives.
―Overall, organizations need to have clearly
documented policies and procedures,
technical controls, and training,‖ Switzer
says. ―Part of the problem we see in many
organizations is the lack of a coherent and
organized structure around compliance with
a particular requirement. However, in a
well-organized company the anti-corruption
program is also well-run.‖
To help organizations enhance their
compliance activities, internal auditors need
to be a part of the compliance program
during the beginning stages. This helps to
make sure controls are properly designed,
well established, and documented. In
addition, internal auditors can recommend
that the organization applies OCEG‘s GRC
Capability Model. Also known as the OCEG
Red Book, the model enables organizations
to go through the different steps that can
help them mature their approach to anti-
corruption so that it achieves transparency.
Once implemented, internal auditors can
then evaluate its effectiveness in preventing
and detecting fraudulent behavior. The
organization also may obtain OCEG certification of the design and implementation of the anti-
corruption program, thus demonstrating it follows Red Book practices for an effective and high-
performing program.
Recommendations for Internal Audit Activities
To ensure internal auditors are adding value to their
organization’s FCPA compliance efforts, CAEs should:
Ensure the internal audit activity is part of the
compliance program during the beginning stages to
make sure controls are properly designed, well
established, and documented.
Recommend that the organization applies OCEG’s
GRC Capability Model, which can help organizations
mature their approach to anti-corruption.
Coordinate financial reporting control reviews and
FCPA audits that look into anti-corruption processes, if
these are separate activities.
Perform a risk assessment that identifies FCPA
compliance risks.
Incorporate FCPA screening as part of planned
compliance audits.
Determine if the organization is providing training and
education to employees dealing with FCPA compliance.
This includes mandatory training sessions for all
internal auditors.
Perform testing procedures as a scope area in internal
audit engagements to confirm whether fraud controls
and processes are working as intended or whether
vulnerabilities exist.

In addition to helping organizations enhance FCPA compliance efforts, CAEs need to be

cognizant of the differences between traditional financial reporting activities and FCPA reviews.
For instance, unlike traditional financial reporting, the FCPA does not have a materiality
threshold. Therefore, corporate FCPA guidelines and internal audit programs should be different
from compliance programs aimed at ensuring the accuracy of financial reporting.

―Given the specificity of FCPA reviews, we have found that it is better to separate these reviews
from our financial controls and compliance audits,‖ explains Gary Fair, vice president of corporate
internal audit for New Jersey-based Johnson & Johnson. ―Still, since both types of audits have
books and records components, there is a communication link between the work done to review
controls over the accuracy of financial reporting and FCPA audits that look into anti-corruption
processes.‖ In addition, as Fair continues, keeping financial controls reviews and FCPA audits
separate should not absolve financial auditors from the responsibility of being cognizant of FCPA
issues and for escalating any issues that require more investigation.

7
Besides the recommendations above,
interviewees discussed four practices that
have served to enhance their organization‘s
FCPA compliance efforts. These are the
performance of risks assessments that
identify risks around FCPA compliance,
FCPA screenings, mandatory FCPA
training for all internal auditors, and testing.
Risk assessment. To ensure internal audit
plans specifically address FCPA issues,
CAEs need to ensure that the annual risk
assessment incorporates risks around
FCPA compliance. However, unlike the
typical low, medium, and high risk
assessment methodology, once an
organization conducts foreign sales,
noncompliance risks will always be high
regardless of the total sales revenue
collected. Other items that can be included
in the risk assessment are reviews of
expense reports and payments to
government officials and audits on the
effectiveness of established internal
controls pertaining to books and records.
(Read ―Assessing FCPA Risk‖ for more
recommendations.)
FCPA screenings. An FCPA screening is a
tool that can help internal auditors identify
when FCPA issues may occur during the
normal course of business operations. Hook
recommends that internal auditors
incorporate FCPA screenings as part of
compliance audits. ―Planned engagements
should be evaluated as to whether FCPA
screenings should be included in the
scope,‖ she states. ―Key indicators include
newly established business operations
outside of the United States, increased
business in countries with developing
economies, and the use of third parties in
transactions with non-U.S. government
officials.‖
To increase the screening‘s effectiveness,
internal auditors should apply manual and automated methods to search for potential FCPA
violations and evaluate the design and operating effectiveness of detection, prevention, and
monitoring controls aimed at FCPA compliance. In addition, auditors should examine all
components of the FCPA compliance program, including:
Assessing FCPA Risk
In “Prescription for FCPA Compliance” author Matt Birk,
partner from Deloitte Financial Advisory Services LLP, writes
that risk assessments often start with an evaluation of
policies and procedures; an analysis of risk factors; the
brainstorming of potential violation schemes; and an
assessment of the likelihood, significance, and
pervasiveness of FCPA risks. For more detailed analysis,
however, internal auditors and other compliance and legal
staff can consider the following qualitative and quantitative
risk factors:
The history of industry and company FCPA violations.
The company’s geographic location and its corruption
rating from Transparency International.
The country’s anti-corruption enforcement level and
ongoing investigations or schemes.
Business unit susceptibility to FCPA violations related
to the use of third parties.
Employee, vendor, and agent knowledge of the FCPA
rules and FCPA policies within the organization.
Findings from previous transaction testing, audits,
surveys, and hotlines.
Previous internal control deficiencies.
Recent business unit changes in management or
business composition.
International business unit revenues.
The dollar amount and percentage of government
business.
The number and dollar amount of accounts payable
transactions.
Payments to third parties including sales agents and
commercial agents.
Payments for professional services and discretionary,
noninventory spending.
Growth rates.
Budget to actual variances.
Nature of time and expense reporting.
Source: Internal Auditor, ―Prescription for FCPA Compliance‖
(February 2010), pp. 53–57)
8
 Gift and travel policies.
Cash management and disbursement policies.
Incident reporting and investigation procedures.
FCPA awareness and education.
Third-party oversight.

FCPA internal audit training. ―The FCPA has forced internal auditors to consider elements that
were not previously considered within the normal realm of a financial audit,‖ says Fair. ―In fact,
due to the exposure and criticality of the FCPA, there‘s been a need for more training for internal
auditors and the hiring of experienced auditors to conduct FCPA audits.‖ As a result, CAEs need
to determine whether the organization is providing the necessary training and education to
employees dealing with FCPA compliance issues to ensure they fully understand what is required
of them and are executing their work appropriately.

Fair has instituted mandatory FCPA training for all internal auditors. Training is given to all new
employees at the time of hire and at least annually. The sessions are taped and placed on
Johnson & Johnson‘s Web site and are available to all employees 24 hours a day, seven days a
week. Furthermore, the company‘s FCPA auditors are required to complete internal and external
training that is even more extensive.

Other practices internal audit activities can undertake to maximize the organization‘s FCPA
compliance program include:

Assessing management‘s FCPA knowledge and compliance activities.

Testing policies and procedures for awareness and effectiveness.
Accumulating automated controls and proactive data anomaly detection tools.
Selecting samples of high-risk transactions for further analysis.
Testing transactions to determine whether FCPA controls are working as intended.
Reporting findings to compliance officers, audit committees, and legal counsel.
Driving policy and procedural change using identified risks and gaps.
Training foreign employees.
Sharing with employees lessons learned from prior FCPA matters.

Testing. Once internal auditors have determined FCPA is an area of concern for the
organization, internal audit plans must incorporate testing procedures to confirm whether fraud
controls and processes are working as intended or whether vulnerabilities exist. ―Internal auditors
can add FCPA requirement testing as a scope area in their engagements,‖ says Hook. ―Auditors
can test specific red flags and help perform ethics investigations regarding potential FCPA
violations.‖
5
According to Matt Birk, partner in Deloitte Financial Advisory Services LLP, testing often involves
an analysis of several areas for high-risk transactions or lack of controls including:

General ledger accounts such as fines, penalties, licenses, permits, travel expenses,
employee bonuses, entertainment, marketing, commissions, education, and gifts to
charitable and political organizations.
Accounts payable data for high-risk transactions, such as commission payments and
professional services fees.
Accounts receivable data for US $0 invoices or credits to customers.
Anti-bribery provisions in agreements with agents.

5
Internal Auditor, ―Prescription for FCPA Compliance‖ (February 2010), pp. 53–57

9
 Activities and payments related to sales to government customers.
Purchases from partially or wholly government-owned entities.
Payments to government entities for goods, services, and other regulatory matters such
as fines, penalties, licenses, and permits.
Employee expense reports.
Bank statement reconciliations and details.
Petty cash activities.

To maximize testing, internal audit activities can employ the use of technology. For instance,
electronic data anomaly filters and customized queries can assist internal auditors interrogate
databases and quickly identify potential high-risk transactions. Automated monitoring and
detection controls can help spot red flags, such as overspending on entertainment and gifts to
government officials, while online risk surveys can help internal auditors obtain qualitative
information to confirm interview leads and identify new investigation avenues.

Finally, key word searches can help identify potential FCPA violations by revealing potential red
flags such as invoices that have been paid twice, requests for questionable payments by agents
or business partners, and round-dollar payments. Key word searches can be applied to financial
databases, general files, or employee e-mails.

10
Recommendations for Organizational Compliance
Many types of controls come into play
to ensure the effectiveness of an
organization‘s anti-corruption program and,
consequently, FCPA compliance efforts.
As Switzer explains, first the organization
needs to have clear policies that identify
corrupt practices. Many of the policies go
above and beyond FCPA compliance and
include documented procedures that
support these policies.
Second, organizations need to think about
the human capital controls that can be put
into place. One of the most important
controls, as stated earlier, is effective
training. ―There are many modes and
methods of training,‖ says Switzer. ―The
DOJ takes the view that anti-corruption
training should be provided to individuals
based on their level and responsibility as
part of the anti-corruption program.
However, all employees and stakeholders
who are in situations that provide
opportunity to engage in or facilitate a
corrupt activity should receive training designed to address their specific roles.‖
Recommendations for Organizationwide
Compliance Initiatives
In addition to having the right tone at the top in support for
the organization’s FCPA compliance efforts, at a minimum,
FCPA compliance programs should have the following
elements:
Clearly written policies and procedures that state what
can and cannot be done in terms of corruption.
Human capital controls, including employee training.
Detective, preventive, and monitoring controls aimed at
FCPA compliance, which are integrated into each
department within the organization.
Monitoring and reporting procedures, such as an
executive-level FCPA review committee, an FCPA
compliance officer or ombudsman, screening methods
and checklists to identify when FCPA issues may
occur, and questionnaires for use internally and with
third-parties.

Training also needs to go beyond an understanding of what is considered a corrupt practice.

Many employees are placed in situations where someone in power tells them to do something
that is unethical or illegal. Consequently, employees need to be trained in how to respond to and
manage through these difficult situations. This often requires them to know how to manage
communication to ensure compliance rather than simply understanding what the law says.

In addition to implementation of a staff training program, HG.org, a Web site that provides legal
directories and information, recommends that organizations implement the following steps:

Draft a written policy on FCPA compliance and distribute the policy to all employees,
including those located in overseas offices. The FCPA policy should be carefully written
to reflect the actual business and operations of the organization and should be updated
regularly to reflect new developments in the United States and rapidly evolving changes
in anti-bribery laws around the world.
Implement the FCPA policy by putting in place comprehensive monitoring and reporting
procedures that reflect the company‘s business and operations. Procedures to consider
including in the FCPA policy are:
o Establishing an executive-level FCPA review committee to manage and review
issues as they arise.
o Designating an FCPA compliance officer or ombudsman to whom FCPA referrals
may be made by employees on a confidential basis.
o Developing screening methods and checklists to identify when FCPA issues may
occur during normal business operations.
o Crafting questionnaires for use internally and with third-parties.

11
 o Writing appropriate contract language for inclusion in all agreements that may
give rise to FCPA concerns.
Act swiftly if FCPA allegations and violations are received. In the event actual violations
have occurred, the company should have in place standard disciplinary procedures that
apply to all employees who violate the FCPA policy. The company also should assess
whether its policies and procedures need to be modified and its internal enforcement
strengthened. In appropriate cases, the company should consider voluntary disclosure of
FCPA violations to the federal government to mitigate its exposure to enforcement action.
Review FCPA matters regularly. The company‘s FCPA review committee or compliance
officer should report regularly to the company‘s board of directors any policy violations,
enforcement measures, and disciplinary actions. The board should periodically evaluate
the effectiveness of the FCPA policy and procedures.

Ensuring the organization has the right tone at the top is also essential to the success of the
organization‘s FCPA compliance efforts. As the recent Daimler example illustrates, one of the
reasons behind‘s Daimler lack of compliance with the FCPA was due to management‘s
resistance to the code of integrity‘s anti-bribery provisions.

―At an organizational level, there should be a strong control environment, including the right tone
at the top,‖ says Hook. ―There should be no tolerance for unethical behavior and a strong tone of
ethical integrity at the senior management level.‖ As Hook continues to explain, executive
management must be committed to the notion that acting legally and ethically is just as important
to the organization as being profitable, and operate under the mindset that business will be won
based on the merit and integrity of the organization‘s products, services, and stakeholders.
Detective, preventive, and monitoring controls aimed at FCPA compliance also should be
integrated into each department within the organization.

Finally, CAEs can recommend that the organization follows the seven elements of an effective
ethics and compliance program (PDF, 243 KB). Johnson & Johnson‘s FCPA compliance initiative
follows the seven elements, which include written FCPA policies and procedures and compliance
testing by local or regional teams and internal auditors. (For more information on the seven
elements, read ―Effective Ethics and Compliance Program Elements‖ at the end of this page.)

Effective Ethics and Compliance Program Elements

According to Nick Ciancio, chief compliance officer for ethics and compliance solutions service provider Global
Compliance, the following seven elements should be included in any ethics and compliance program to
maximize its effectiveness:

1. Standards and procedures, such as the organization’s code of conduct, which outline expected behaviors
from all employees.
2. Oversight including the presence of a strong leader.
3. Education and training.
4. Auditing and monitoring of internal systems and verifying their compliance with the FCPA.
5. A reporting mechanism for employees to voice allegations or concerns without fear of retribution.
6. Consistent enforcement of standards and procedures via appropriate disciplinary actions.
7. Response and prevention actions once an allegation is made or an occurrence of unethical behavior
is reported.

For more recommendations on how to implement an effective ethics and compliance program, read The IIA’s
Implementing an Effective Ethics and Compliance Hotline (PDF, 1.3 MB).

12
Recommendations for Audit Committees
As part of their work, CAEs need to inform
the audit committee if there are any issues
that could deter the organization from
achieving compliance with any legislation.
Similarly, audit committees play a vital role
helping to ensure the organization‘s internal
controls properly reflect its risk portfolio.
Consequently, CAEs can help educate
audit committee members about the FCPA
and its impact on the organization, the
organization‘s responsibility toward FCPA
compliance, and the different elements
needed to maximize the compliance
program‘s effectiveness.
―Audit committees have a risk oversight
responsibility and are in constant
communication with the internal audit,
accounting, external audit, legal, and ethics
and compliance teams,‖ says Hook. ―As a
result, they can ensure there is a well-
established and effective FCPA compliance
program in place by reviewing planned
program priorities and results.‖
According to the American Institute of
6
Certified Public Accountants (AICPA), the
audit committee should inquire:
The CEO and CFO about the FCPA
compliance program as to whether
the organization‘s code of conduct
and policies outline the steps
needed to achieve FCPA
compliance.
The CEO, CFO, legal counsel, and
the CAE on the organization‘s plan
should a violation occur and the
process for disclosures and their
timing.
Legal counsel and the CAE if they
have access to expertise on FCPA
issues.
The CAE on how FCPA testing is
incorporated into an internal audit
program and risk assessments.
6
AICPA’s ―Foreign Corrupt Practices Act — Primer and Tool for Audit Committees‖ (June 2008),
www.aicpa.org/download/audcommctr/Audit_Committee__FCPA.pdf (PDF, 150 KB)
Recommendations for Audit Committees on
FCPA Compliance
The audit committee plays a pivotal role helping the
organization assess the effectiveness of FCPA compliance
efforts and ensuring risks are taken into consideration that
could hinder its compliance with the legislation.
Consequently the audit committee should:
Inquire the CEO and CFO about the FCPA compliance
program, including the organization’s code of conduct
and policies outlining the steps needed to achieve
FCPA compliance.
Ask the CAE, CEO, CFO, and legal counsel on the
organization’s plan should a violation occur and the
process for disclosures and the timing for disclosures.
Determine if legal counsel and the CAE have access to
expertise on FCPA issues, including the involvement of
a third party that can provide recommendations to
enhance the FCPA program’s effectiveness.
Assess whether FCPA testing is incorporated into an
internal audit program and risk assessments.
Ask senior management to provide evidence on the
existence of:
o A complete and unified risk matrix that shows the
organization has thought through the processes or
situations that could arise and lead to
noncompliance with the act.
o A list specifying each process control owner.
o A mechanism to monitor compliance with the anti-
corruption program.
o Documentation of change management controls,
if needed.
Make sure there is a management process in place that
moves things through in a timely fashion in the event
that a fraudulent event is identified.
Ascertain whether the organization’s executive
compensation policy clearly states how incentive-based
pay will be determined and allocated.
Ensure FCPA compliance is included in the enterprise
risk management (ERM) program, especially if the
organization performs business transactions
internationally.
13
Besides ensuring that the organization has formal, written anti-corruption policies and
procedures, Switzer recommends that audit committees ask senior management to gain OCEG
certification of the anti-corruption program and provide evidence on the existence of the following
elements:

A complete and unified risk matrix that shows the organization has thought through the
processes or situations that could lead to noncompliance with the FCPA.
A list specifying the owners for each process control.
A mechanism to monitor compliance with the anti-corruption program.
Documentation of change management controls, if needed.

The audit committee also needs to make sure there is a management process in place that
moves things through in a timely fashion in the event that a fraudulent event is identified. As part
of this process, issues must be reported and resolved, including the reporting and resolution of
the underlining cause. Similarly, the audit committee needs to make sure the organization has an
established mechanism to deal with program violations even-handedly. As Switzer explains, this
means there should be no selective enforcement of the anti-corruption program‘s compliance.

Furthermore, the audit committee needs to make sure there is a clearly stated executive
compensation policy that talks about incentive-based pay. ―Corruption arises when an individual
has the personal motive and the right organizational incentives in place, which are often
unintentional on the part of the organization,‖ comments Switzer. ―Therefore, the audit committee
should ensure the compensation policy has removed any potential incentives for fraud.‖

Harrington recommends that audit committees ensure FCPA compliance is included as part of
the ERM program, especially if the organization performs business transactions internationally.
―Transparency International publishes an annual Corruption Perceptions Index (CPI), which
measures the perceived level of public-sector corruption in 180 countries and territories around
the world,‖ adds Harrington. ―If an organization works in a country that ranks highly on this index,
audit committees need to make sure the organization‘s ERM program makes FCPA compliance a
high priority.‖

One way to go about ensuring FCPA is a high priority is by asking management to do

presentations on the types of controls that the organization needs and has implemented
surrounding FCPA compliance and what they are doing to ensure compliance. The internal audit
activity then monitors management‘s performance in this area and tests the effectiveness of
controls in ensuring compliance. ―Basically, it‘s a three-pronged approach consisting of the audit
committee, management, and the internal audit activity to make sure the company is in
compliance,‖ says Harrington.

Finally, the audit committee might recommend the involvement of a third party that can provide
recommendations to enhance the FCPA program‘s effectiveness. Third-party service providers
include law firms or a Big Four accounting firm with expertise in FCPA compliance.

14
Emerging FCPA Compliance Trends
In March 2010, The IIA performed a survey
to identify the state of compliance efforts
with the FCPA among members of The IIA‘s
7
Global Audit Information Network (GAIN).
A total of 1,802 survey invitations were sent
8
of which 129 responses were obtained. Of
these responses, 82 CAEs and internal
audit directors and managers stated that
their organization performs business
transactions outside the United States.
Following is a summary of the key survey
findings obtained from the 82 respondents.
Key Survey Findings
FCPA compliance efforts are taking a
more prominent role organizationwide.
According to survey results, the majority of
organizations performing business
transactions outside the United States have
implemented programs addressing FCPA compliance. Of the 88 percent of organizations with an
FCPA compliance program:
Key Survey Results
The IIA performed a survey among GAIN members to obtain
baseline information regarding compliance efforts with the
Massachusetts Data Privacy Law. The survey identified the
following four key findings:
Most responding organizations are in compliance
with all law provisions.
Key internal audit roles pertain to the evaluation of
the program’s compliance, testing of internal
controls, and monitoring of compliance efforts.
Use of portable devices was identified as the
number one information security risk.
Presence of clearly stated and enforced policies
and procedures is the number one compliance
practice among respondents.

46 percent have robust, formal programs (i.e., they include policies, procedures,
monitoring, and training).
24 percent have informal programs that will be transitioned into a more formal program in
the future.
18 percent have informal programs that include some of the elements featured in more
robust, formal programs.

The presence of FCPA compliance programs goes hand-in-hand with the importance of the
subject at an organizational level. As evident in the survey results, 71 percent of the 82
respondents stated that the level of attention the organization pays to FCPA compliance has
increased over the past three years. The No. 1 reason for this increased level of attention is the
organization‘s expansion or future expansion into international markets, followed by increased
regulatory attention and enforcement, previous incidents leading to a heightened focus on FCPA
compliance, and increased media coverage of noncompliance situations.

7
IIA Flash survey, ―The U.S. Foreign Corrupt Practices Act: Current Internal Audit and Compliance Practices‖ (March
2010), www.theiia.org/download.cfm?file=54479
8
Forty percent and 30 percent of survey participants work in internal audit activities consisting of 3–6 and 7–15
internal auditors, respectively; 50 percent work in organizations with annual revenues of US $1 billion or more; the top
five industries represented by participating organizations include manufacturing (26 percent), financial
services/banking/real estate (10 percent), insurance carriers/agents (9 percent), health services (6 percent), and
educational services and wholesale/retail (6 percent, each); finally 47 percent of respondents work in organizations
conducting business transactions in 1–10 countries, 23 percent work in organizations conducting business transactions
in 11–20 countries, 9 percent of participating organizations perform business transactions in 21–30 countries, and 21
percent perform business transactions in more than 30 countries.

15
Internal auditors are becoming key players in their organization’s FCPA compliance
efforts. Internal audits of FCPA compliance activities are increasing, and a large number of
internal auditors are providing much needed assistance by participating as key members of
organizationwide FCPA compliance programs. More than half of the internal audit activities
represented in the survey (61 percent) perform audits surrounding FCPA compliance that are
incorporated into reviews of operating units or processes. In addition, the primary role of internal
auditors is to provide support as needed or requested during investigations of FCPA violations.
(Refer to Figures 1, 2, and 3 for a detailed summary of these responses.)

Figure 1. Percent of Internal Audit Activities Performing

FCPA Compliance Reviews
(Note: Percentages are based on the 82 respondents working
in organizations that perform business transactions outside
the United States)

No 39%

Yes 61%

Figure 2. Internal Audit Efforts Pertaining to FCPA Compliance

(Note: Percentages are based on the 61 percent of respondents stating they perform
FCPA compliance reviews)

FCPA audits are incorporated into other

70%
internal audits of operating units or processes

Operating units or processes are subject to

32%
regular, separate audits for FCPA compliance

Operating units or processes are audited for

FCPA compliance if there is some indication of 28%
FCPA compliance problems

An enterprisewide audit of the FCPA program

26%
is executed

A continuous monitoring program is conducted

14%
to assess FCPA compliance

Other 4%

16
Figure 3. Internal Audit Roles During Investigations of FCPA Violations
(Note: Percentages are based on the 82 respondents working in organizations that perform business transactions
outside the United States)

Another area of the company is primarily responsible for

investigations; internal auditing participates with that area in 45%
investigations or providing support as needed or requested
Internal auditing is primarily responsible for conducting or
25%
managing FCPA investigations

Other 20%

Third parties are hired by the area responsible for FCPA to

6%
conduct investigations

Third parties are hired by internal auditing to conduct the

2%
investigations
Another area of the company is primarily responsible for
investigations; internal auditing does not actively participate 2%
in the investigations

The survey also found a trend toward heightened internal audit focus among participants —
45 percent of survey participants stated that FCPA internal audit efforts have increased for 2010
since 2008 compared to 46 percent who stated audit efforts have stayed the same. In 65 percent
of the organizations where internal audit efforts have increased, assurance and consulting
9
activities have increased by up to 25 percent and by 50 percent or more in 31 percent of the
10
organizations.

Finally, board-level responsibility for FCPA efforts is executed mostly at the audit committee
11
level, which helps to further increase internal audit awareness on the subject and better
coordinate FCPA compliance activities organizationwide. As stated earlier, 70 percent of
organizations incorporate FCPA audits into other internal audits of operating units or processes
and in 77 percent of the organizations there is joint coordination between the internal audit activity
and legal department on matters pertaining to FCPA compliance and testing.

Training and coordination of compliance activities were identified as the top practices in
ensuring compliance with the FCPA. Respondents were asked to identify leading
organizational and internal audit practices pertaining to FCPA compliance. According to survey
respondents, training was identified as the No. 1 organizational practice in ensuring compliance
with the FCPA. Other organizational practices in order of importance include:

Internal audit processes and organizational controls that ensure compliance in addition to
the organization‘s code of conduct or ethics.
Compliance audits and monitoring.
An annual compliance certification process with business conduct policies for all
employees, stakeholders, and service providers affiliated with the organization.

9
This percentage represents 17 organizations.
10
This percentage represents 8 organizations.
11
60 percent of the 82 organizations assign board-level responsibility for FCPA efforts at the audit-committee level and
27 percent assign FCPA responsibility to the full board of directors.

17
 Formal guidelines pertaining to the use of third-party service providers.
Proper tone at the top in support of FCPA compliance efforts and management
involvement in anti-corruption activities.
A confidential reporting mechanism for compliance breaches.
Enforcement of clear penalties under the organization‘s code of conduct for
noncompliance with FCPA policies and procedures.

In terms of internal audit practices, ensuring the joint coordination between the internal audit
activity and legal department on matters pertaining to FCPA compliance and testing was
identified as the No. 1 step necessary for achieving FCPA compliance success. Other steps, in
order of importance, include executing a documented approach and methodology under the
company‘s overarching FCPA policy; using third-party expertise to supplement resources,
knowledge, and tools; and using data analytic tools to identify high-risk transactions. (Refer to
Figure 4 for a summary of all results.)

Furthermore, testing policies and procedures for awareness and effectiveness was identified as
the No. 1 FCPA compliance responsibility for internal audit activities followed by reporting findings
to compliance officers, audit committees, and legal counsel. The identification of these two
elements is not surprising given the high value survey participants place on the coordination of
FCPA testing and compliance activities between internal auditing and organizational functions.
(Figure 5 gives a snapshot of internal audit responsibilities pertaining to FCPA compliance and
Figure 6 provides a detailed list of all testing procedures used to confirm whether controls and
processes over illegal payments are working as intended.)

Figure 4. Steps Necessary to Achieve the Success of FCPA Internal Audit Programs
(Note: Percentages are based on the 82 respondents working in organizations that perform business transactions
outside the United States)

There is joint coordination between the internal audit activity

and legal department on matters pertaining to FCPA 77%
compliance and testing

We execute the documented approach and methodology under

31%
the company’s overarching FCPA policy

We use data analytic tools to identify high risk transactions 29%

We use third-party expertise to supplement resources,

29%
knowledge, and tools

We perform FCPA-specific risk assessments for proactive

32%
location and scope selection

We perform regular, stand-alone FCPA assessments that are

22%
solely focused on foreign transactions

We use dedicated and properly trained internal auditors to

focus on FCPA compliance and audits; please specify the 6%
number of internal auditors dedicated to FCPA compliance

18
Figure 5. Internal Audit Responsibilities Pertaining to FCPA Compliance
(Note: Percentages are based on the 82 respondents working in organizations that perform business transactions
outside the United States)

Testing policies and procedures for awareness and effectiveness 74%

Reporting findings to compliance officers, audit committees, and legal
counsel 68%

Selecting samples of high-risk transactions for further analysis 55%

Testing transactions to determine whether FCPA controls are working as
intended 52%
Conducting broad FCPA risk assessments that identify potential high-risk
areas based on analysis 48%

Assessing management’s FCPA knowledge and compliance activities 44%

Obtaining or reviewing annual employee compliance declarations 39%

Driving policy and procedural change using identified risks and gaps 38%

Accumulating electronic data and conducting interviews 38%

Testing employees for FCPA policies and requirements 26%

Sharing with employees lessons learned from prior FCPA matters 23%

Training foreign employees 23%

Applying automated controls and proactive data anomaly detection tools 13%

Figure 6. Testing Procedures for Controls and Processes Over Illegal Payments
(Note: Percentages are based on the 82 respondents working in organizations that perform business transactions
outside the United States)

Employee expense reports 72%

Accounts payable data for high-risk transactions 63%

Payments to government entities for goods, services, and other
regulatory matters such as fines, penalties, licenses, and permits 60%

Selected general ledger accounts 52%

Anti-bribery provisions in agreements with agents 50%

Activities and payments related to sales to government customers 45%

Petty cash activities 44%

Bank statement reconciliations and details 37%

Purchases from partially or wholly government-owned entities 33%

Accounts receivable data for US $0 invoices or credits to customers 24%

19
Risks assessments are a key component of the organization’s FCPA compliance efforts.
Risk assessments are a valuable tool in helping senior management and internal audit activities
identify potential and existing areas that could expose an organization to compliance violations.
The survey asked participants key questions regarding their use of risk assessments as part of
the organization‘s FCPA compliance programs.

Nearly three-fourths of survey respondents (74 percent) stated that the internal audit activity
completes a risk assessment that identifies risks pertaining to FCPA compliance. The top five risk
factors that are considered during the risk assessment process, in order of importance, include:

The company‘s geographic location and its corruption rating from Transparency
International.
Business unit susceptibility to FCPA violations related to the use of third parties.
Previous internal control deficiencies and vulnerabilities.
Findings from previous transaction tests, audits, surveys, and hotlines.
The history of FCPA violations in the industry and company.

(Figure 7 identifies each of the risk factors.)

As is clearly evident, risk factors identified by survey participants are similar to the ones described
earlier throughout the report.

Figure 7. Risk Factors Considered During the Risk Assessment Process

(Note: Percentages are based on the 82 respondents working in organizations that perform business transactions
outside the United States)

The company’s location and corruption rating from Transparency International 67%
Business unit susceptibility to FCPA violations related to the use of third parties 65%
Previous internal control deficiencies and vulnerabilities 60%
Findings from previous transactions tests, audits, surveys, and hotlines 56%
The history of FCPA violations in the industry and company 55%
Payments to third parties including sales agents and commercial agents 55%
Employee, vendor, and agent knowledge and awareness of FCPA rules 51%
Recent business unit changes in management or business composition 48%
Payments for professional services 43%
The dollar amount and percentage of government business activities 38%
The country’s anti-corruption enforcement level and ongoing investigations 37%
International business unit revenues 26%
Discretionary, noninventory spending 21%
The nature of time and expense reporting 20%
Budget to actual variances 18%
The number and dollar amount of accounts payable transactions 18%
Compensation standards for employees and executives 15%
Growth rates 12%

20
Resources
The following online resources can provide CAEs and internal auditors with more information on
the FCPA:

Official FCPA Information

U.S. Department of Justice‘s FCPA Web page, www.justice.gov/criminal/fraud/fcpa/.

U.S. Federal Sentencing Commission‘s Federal Sentencing Guidelines Manual Web
page, www.ussc.gov/guidelin.htm.
U.S. Department of Justice‘s Opinion Procedure Release 04-02,
www.justice.gov/criminal/fraud/fcpa/opinion/2004/0402.pdf (PDF, 23.6 KB)

Online Articles and Other Resources

―5 Ways Your Audit Team Can Incorporate FCPA Screening Into an ‗Everyday‘ Audit,‖
www.amper.com/publications/fcpa-audit-screening.asp.
AICPA‘s ―Foreign Corrupt Practices Act — Primer and Tool for Audit Committees,‖
www.aicpa.org/download/audcommctr/Audit_Committee__FCPA.pdf (PDF, 150 KB).
FindLaw.com‘s FCPA Web page, http://library.findlaw.com/1997/Jan/1/126234.html.
Forbes.com‘s ―Investigating the FCPA,‖ www.forbes.com/2009/12/08/foreign-corrupt-
practices-act-opinions-contributors-michael-perlis-wrenn-chais.html.
http://findarticles.com/p/articles/mi_m4153/is_1_61/ai_n6152505/.
HG.org. ― Compliance with the Foreign Corrupt Practices Act in the Post-Sarbanes-Oxley
World,‖ www.hg.org/articles/article_235.html.
Internal Auditor, ―Prescription for FCPA Audits‖ (February 2010),
http://theiia.texterity.com/ia/201002#pg55.
IIA Flash survey, ―The U.S. Foreign Corrupt Practices Act: Current Internal Audit and
Compliance Practices‖ (March 2010), www.theiia.org/download.cfm?file=54479
Transparency International‘s 2009 Corruption Perception Index Web page,
www.transparency.org/policy_research/surveys_indices/cpi/2009.
WrageBlog.com, ―Role of Federal Sentencing Guidelines in FCPA Cases,‖
http://wrageblog.org/2009/09/29/role-of-federal-sentencing-guidelines-in-fcpa-cases/.

21