Avoiding FCPA Violations with Data Analysis

Christopher Stewart-Smith


December 10, 2012

On the surface, the Foreign Corrupt Practices Act (FCPA) is simple legislation aimed at cracking down on bribery. Yet it has enormous consequences, even for small violations.

The FCPA makes it a crime for U.S. individuals and companies to knowingly offer payment or promises of payment to foreign governments in order to secure business. In the first years after it was enacted in 1977, fines were small and enforcement was minimal. But many countries have recently followed suit with similar regulations and fines have increased dramatically. Global governments are now much more likely to investigate and prosecute violators than they were in the past.

The punishment for an FCPA violation can be severe. Organizations risk criminal penalties, including corporate fines of up to $2 million per each FCPA violation. Company officers, directors, stockholders, and employees can face personal fines and imprisonment for up to five years, and the U.S. Securities and Exchange Commission can impose civil actions against the firm or individuals within the firm, as well as revoke export licensing rights. In November, the Justice Department and the SEC even released a set of guidelines outlining how prosecutors intend to interpret and enforce the law, suggesting that the government’s pursuit of such cases will continue.

As a result, the FCPA should not be taken lightly. But compliance can be tricky. The global business environment includes many international, decentralized companies. Individuals often operate in countries where bribes and payoffs have historically been a routine part of doing business. When languages and business cultures vary to a large degree, it can be extremely difficult to keep tabs on the operations.

A key tool for avoiding FCPA difficulties is data analysis. The truth is in the data, because that is where a company’s conduct is recorded. The rows and columns of data often speak volumes about what is truly going on inside the business.

Using Analytics to Protect Yourself

Departments such as internal audit and compliance can play a critical role in FCPA compliance by implementing effective monitoring techniques. This shines a light on potential violations and helps develop a culture in which employees know their activities will be reviewed for possible ethical breaches.

As previously mentioned, one way to monitor for FCPA violations is through use of data analytics, which allow for complete, comprehensive testing of all corporate transactions. Companies can meet FCPA accounting provisions by employing software to repeatedly test the effectiveness of internal controls and highlight specific transactions that appear suspicious.

When it comes to bribery provisions, data analysis solutions can quickly and easily identify red flags and provide an invaluable early warning system. Software programs can uncover:

  • Payments to risky vendors, including government contractors and parties on government watch lists

  • Payments made from foreign bank accounts

  • Use of new attorneys, accountants, consultants or other professions with no prior relationship to the company

  • Missing descriptions or suspicious payment keywords, such as “for services rendered,” “gifts,” or “facilitation”

  • Checks made out to “cash”

  • Payments classified as government expenses, made in cash, or written to an individual

Analytics can also uncover suspicious situations that may warrant further investigation, including high cash transaction volumes, payments sent outside the country of operation, multiple gifts to a single individual, entertainment of government customers, bonuses of unusual quantity or timing or charitable contributions to organizations affiliated with the government.

Instilling a culture of continuous monitoring backed by effective controls can strengthen compliance efforts. Companies that are transparent with their monitoring practices give employees the impression that inappropriate actions might be questioned. This, in turn, can lead to a decline in fraudulent activities.

Data analysis technology can be particularly effective in enabling internal audit, finance, IT and business teams to identify and stay on top of internal control issues. This leads to the creation of detailed, objective, data-based evidence that fully conveys the nature of issues and the progress of resolution actions to senior management.

Mergers & Acquisitions Risk

One example of where data analytics can be helpful in avoiding FCPA issues is in mergers and acquisitions. Mergers can sometimes introduce the possibility of acquiring another company’s FCPA violations. The following are a few typical issues for consideration that are relevant to M&A and business integration activities as they relate to FCPA:

Valuation of the target’s assets and liabilities. Details of asset accounts in the target company — including receivables, inventories, plants and equipment — may not be well understood at the time of acquisition, and could contain data quality or other errors. This may impact the valuation of the asset reported on combined financial statements, and/or affect the future recoverability of the asset.

As new information comes to light, there may be an opportunity to make purchase price adjustments post-acquisition. Analysis can identify the need for adjustments and provide detailed evidence to support the calculation of the adjustment. Software can review payable and receivable transactions subsequent to the acquisition date, for example, to identify liabilities to vendors that have not been accounted for at the acquisition date.

Examining intercompany transactions. Before intercompany transaction processes can be fully rationalized, all intercompany transactions between the two entities must be identified and correctly accounted for. Identifying and tracking intercompany transactions can often be a painstaking manual task prone to errors and omissions.

Software can review vendor and customer master files, and transaction data to identify intercompany entities and associated transactions to ensure they are correct. The ability to read unrelated sets of data across both organizations’ systems allows a finance team to assemble and maintain a more complete picture of intercompany activity.

Rationalizing vendor and customer records. M&A situations may present significant overlap between the pre-integration companies’ vendor and customer masters. The combined companies may have duplicate vendor and customer master records, which brings the risk of inconsistent application of contracts and pricing agreements, and a greater potential for misstated or duplicate transactions due to confusion about the correct vendor or customer record to use.

The ability to easily and consistently analyze critical master files such as the vendor and customer masters can be a great tool to save time and effort by IT and the business areas during business integration. It provides oversight to the audit function on the state of business-critical master files and improves the overall quality of the merged master files as the business goes forward.

Combining IT systems. As companies work to merge their systems, normal internal controls may break down over factors such as organizational changes and staff turnover. These factors can lead to unanticipated segregation of duties violations, the potential to process business transactions in parallel across multiple systems, or the use of technology tools to extract, convert and load bulk data from one system to another, which bypasses data entry controls.

Software can discover and report on unwarranted use of high-level system access rights, and inventory user access profiles by business area. To guard against duplicate invoices and payments processed in parallel across systems and manage the risk of inadvertent overpayment to vendors, the solution is to run an automatic test for duplicate transactions across all company platforms.

Data analysis also helps auditors and IT to assess data quality before merging critical business systems and, after the transaction has closed, confirm that bulk data transfers and conversions are accurate and complete. The extensive logging and audit trails provided by software can serve as effective evidence that the imported data meets existing FCPA rules.

Checking across the organization. There are also opportunities to derive gains from the use of data analytics in payroll and human resources with regard to FCPA compliance. When organizations with different internal controls, management styles, and processes integrate, business risk increases exponentially. Finance, IT, business managers and internal auditors must maintain strong internal controls and appropriate risk management practices as company operations are integrated.

Data analytics provide an effective and efficient means to assess and manage risk while allowing companies to reap the rewards of business integration. Staying out of the FCPA crosshairs may be viewed by some as an added bonus, but given the severity of punishment for violators, it should always be a top priority.
Christopher Stewart-Smith is a data analytics consultant for ACL Services, a Vancouver-based technology company that provides audit and risk management software and services.