According to Daniel Kahn, Chief of the Fraud Section’s FCPA Unit, “The Department of Justice (“DOJ”) will look at your [anti-corruption compliance] program, not a proxy for your program. The DOJ wants evidence not only of a good program, but evidence that what you are doing is working.”
As the risk and number of corporate prosecutions grow, more companies have established anti-corruption programs including policies, financial controls, training, anti-corruption compliance, internal audits and other monitoring and testing procedures.
While most companies have adopted anti-corruption compliance programs, many still need to identify and invest resources to ensure that their programs are well-designed and operating effectively.
But How Do You Know If It Works?
In February 2017, the DOJ Fraud Section posted a memo entitled “Evaluation of Corporate Compliance Programs” that provides the most recent overview of what the U. S. government will consider in assessing the effectiveness of a company’s compliance program. Included in the 11 items on the checklist that emanated from the Resources Guide to the US Foreign Corrupt Practices Act and the US Sentencing Guidelines is Number 9 - “Continuous Improvement, Periodic Testing and Review”.
In Guideline No. 9, the DOJ will inquire as to whether the company:
- reviewed and audited its compliance program
- tested relevant controls
- evaluated compliance data
- interviewed employees and third parties
To Answer the Key Question:
Does the company have a risk-appropriate and effective program for preventing and detecting corruption in its business operation and how often has the company updated its risk assessment and reviewed its compliance policies, procedures and practices?
There is no one-size-fits-all approach to determine whether your anti-corruption program is working, is properly funded or staffed and it’s impossible to visit every location, interview every vendor and test every transaction. The DOJ notes that its Fraud Section does not use a rigid formula to assess the effectiveness of corporate compliance programs and that they make an individualized determination in each case.
How to Evaluate Your Anti-Corruption Program
Approach to compliance is always evolving. Your company should perform periodic assessments of its internal and external risks, including identifying business units and geographies with the highest corruption risk.
“An organization should take the time to review and test its controls, and it should think critically about its potential weaknesses and risk areas.” Such assessments and reviews should be conducted internally as well as by independent external reviewers.
Policies and procedures should be monitored and reviewed to account for changes in risk and the effectiveness of controls in place to mitigate any such risks. Factors taken into consideration when conducting such risk assessments include:
- Country Risk
- Business Sector
- Dependence on large government contracts, critical licenses and permits
- Transparency International’s Corruption Perception Index country rating
- Use of third parties
- Unusual payment arrangements and excessive commission structures
- Prior history of reported allegations of bribery or corruption
Companies have undertaken internal anti-corruption surveys to measure their compliance culture and strength of internal controls, identify best practices, and detect new risk areas.
A&M utilizes a survey based primarily on the U.S. Department of Justice Resource Guide to the U.S. Foreign Corruption Practices Act, The U.S. Federal Sentencing Guidelines, the OECD Good Practice Guidance and proprietary independent reviews of multinational companies’ anti-corruption best practices. Core areas covered include: (i) Program structure; (ii) Responsibility and Resources; (iii) Culture of Ethics and Tone from the Top/Middle; (iv) Due Care; (v) Written Standards; (vi) Training and Communication; and (vii) Enforcement and Response.
The survey typically starts with the Chief Compliance Officer and staff, senior and middle management, internal audit and should be pushed out to business line leaders, supply chain personnel and those in the field overseeing the work of third party agents. The cumulative responses to the survey should provide a good starting point to identify areas of non-performance that pose the greater risk and need the most remedial measures.
Companies also regularly test their internal controls with targeted audits to make certain that controls and polices on paper are working in practice. These audits should be conducted internally to show that the company has ownership of its anti-corruption program and supplemented by independent external resources with specialized compliance expertise. The scope and frequency of the compliance review will depend largely on the risk profile of the company.
Such audits include:
- Analyzing the anti-bribery and corruption compliance program effectiveness to ensure compliance with the organization’s code of conduct and anti-corruption policy, and that these policies and provisions are implemented in an effective way to ensure compliance.
- Conducting interviews with key senior and middle management to understand their knowledge and perspectives on the anti-bribery and corruption compliance program company-wide and within their specific business units.
- Conduct interviews with other key Company personnel and employees responsible for compliance, accounting, finance, internal audit, sales and marketing and other corporate functions to develop a full understanding of the company’s possible corruption exposure, the existing anti-bribery and corruption compliance program and how related controls are interpreted, communicated and tested.
Continuous Training and Communication is Essential
“The DOJ and the Securities and Exchange Commission will evaluate whether [a company] has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees and, where appropriate, agents and business partners.”
It is essential to ensure that the company’s polices are easily understood and that the company’s employees are able to live the company’s core values. Effective anti-bribery and anti-corruption programs require careful and continuous communication and training programs, updated to align with changing regulations and evolving country norms and include the following:
- Determine if there is effective communication to all directors, officers, employees, consultants and third parties with respect to corporate policies, anti-bribery and corruption compliance policies and procedures as related to existing domestic and applicable foreign anti-corruption laws.
- Assess the periodic and documented training for all directors, officers, employees, consultants, agents and others with respect to the requirements of applicable anti-corruption laws as well as the organization’s anti-bribery policies, procedures, standards and red flags. At a minimum, every person able to obtain business through bribery or other improper means should receive anti-corruption compliance training.
- Determine who is responsible for the content, delivery, updating and tracking of anti-corruption training.
- Determine if training resources are sufficient and knowledgeable in anti-corruption compliance. Training should highlight the company’s position that it does not tolerate corruption, that its anti-corruption policies are designed to ensure compliance with the requirements of the FCPA and UK Bribery Act, will identify potential “red flags” or problem situations, and provide guidance for employees to report violations and obtain company assistance.
- Assess the training materials for inclusion of appropriate content and ongoing modification as appropriate. Consider a mixture of live training for certain targeted and senior employees and web-based training for all employees. Along with senior management, employees in sales, marketing, finance, legal and internal audit should receive enhanced anti-corruption training.
Conclusion –Your Compliance Program Must Evolve as your Company Evolves
Even the strongest compliance program will not prevent or detect every violation. A company’s policies and procedures should be grounded on key values and principles to guide employees’ day to day decision making. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry.
The compliance program should be surveyed, monitored and reviewed continuously to account for changes in risk, changes in domestic and international anti-bribery laws and the effectiveness of the company’s procedures. The DOJ will look at periodic testing and review processes, such as audits, compliance communications and training to ensure a company updates its risk assessments and “reviews its policies, procedures, and practices."
A compliance program should evolve with the company. It is important to document your findings, analyze the results, make a report to management or the board, develop a set of next steps along with a prioritization and recommended plan for implementation.
 The Foreign Corrupt Practices Act of 1977, as amended, 15 U.S.C. §§ 78dd-1, et seq. ("FCPA")
 US Department of Justice, Criminal Division, Fraud Section, Evaluation of Corporate Compliance www.justice.gov/criminal-fraud/page/file/937502/download
FCPA: A Resource Guide to the U.S. Foreign Corrupt Practices Act
 Transactional International, Verification of Anti-Corruption Compliance Programs
 FCPA: A Resource Guide to the U.S. Foreign Corrupt Practices Act
US Department of Justice, Criminal Division, Fraud Section, Evaluation of Corporate Compliance