nforcing anti-corruption policies among employees and third parties is one of the foremost concerns for compliance departments, but developing a robust process to assess and uncover bribery risks is no easy task.
At Compliance Week 2015, legal and audit executives with oil services giant Baker Hughes shared how they conduct a robust audit of compliance with Foreign Corrupt Practices Act policies across its global enterprise. This process entails two main types of FCPA audits: internal FCPA audits of high-risk countries and emerging markets where the company has locations, as well as external audits, “which are internal audits conducted by Baker Hughes of external third parties,” explained Marianne Ibrahim, senior counsel of audits and investigations for Baker Hughes.
The overall purpose of these FCPA audits is to identify government points of interaction, which are going to be different depending on the industry and type of transaction, said Jennifer Ellison, senior legal compliance manager of Baker Hughes. Those transactions can be either direct or indirect, she said.
Examples of direct transactions include:
“The indirect side is where a lot of companies get into trouble,” Ellison said. These government points of interaction include customs agents and freight forwarders; visa processors; commercial sales agents; intermediaries, distributors; consultants and “channel partners.”
When it comes to external audits, “we don’t like to give third parties too much notice, but enough to be respectful,” Ibrahim said. Usually, third parties receive about two-months of notice prior to an audit taking place, with a couple of options for dates. “We perform audit with legal counsel leading the audit,” she said.
With regard to external audits, Baker Hughes reaches out to the business partner who has a license with that agent or sales representative. “We go through that business partner, because they’ve already established a relationship and have rapport with that agent,” Ibrahim explained. They also are familiar with cultural norms and can guide you on the appropriate ways to inform them about the audit, she said.
An initial document request for financial information inquiries is prepared. A binder that includes a variety of data—such as previous audits and resolutions conducted in that country—is also prepared.
“The key to that is to make sure there are no repeat findings,” Ibrahim said. If repeat findings are discovered, “somebody is going to get into trouble, and it’s going to get a higher severity rating.”
Next, Baker Hughes’ legal counsel, together with internal auditors, will refer to the company’s internal investigations database. “We talk about all open and closed matters in that country and try to figure out what’s going on,” Ibrahim said. For example, “Are there any trends? Do we need to focus on anything? What matters were substantiated?” she said. If the Department of Justice or Securities and Exchange Commission took any related enforcement actions in that country, and specifically within the oil and gas industry, those are also examined.
When it comes to data requests, Ellison said “we always request trial balance and chart of accounts; journal entry line items; financial and compliance policies; audited financial statements; bank records and statements; a list of agents and their intermediaries; and revenue by country and customer,” she said. “We always want to ask for data in a data file, not in a PDF format.”
FCPA Audit Interviews
The first step in conducting an FCPA audit interview is to select the right people to conduct the interviews. These individuals should be culturally sensitive, patient, and have a good working relationship with auditors. “Some counsel do not like working with auditors,” Ibrahim said. “I try to research cultural etiquette before I go and try to understand all their cultural expectations.” Furthermore, it should be stressed during the interview, that the interview is a discussion, not an interrogation, she said.
Counsel should not do interviews with investigators. “It’s just an audit,” Ibrahim stressed. “If any matter arises that could potentially turn into an internal investigation, I extract that. We deal with that separately.”
Legal and audit should always be interacting back-and-forth. “People tend to blur the line and start going down that rabbit hole as soon as they start hearing things,” Ibrahim warned. “That can take away from other findings.”
Ibrahim also cautioned against simply asking a checklist of questions and then moving on. “In a lot of cultures, they want to give you want you want to hear,” she said.
As a practical example, maybe you ask them if they have any government interactions, and they answer, “No.” The follow-up question, however, is, “‘do you work with a national oil company?’ They answer, ‘yes.’ Well, that’s a government entity,” Ibrahim said. “That happens surprisingly way too often.”
When it comes to when FCPA audits are conducted, Ibrahim explained that Baker Hughes conducts FCPA audits every three years for high-risk countries and every five years for low-risk countries.
At the conclusion of an audit, “we always end with a closing meeting,” Ibrahim said. Findings are verbally shared with external third parties, particularly as it concerns how they can improve their internal controls, she said: “We usually tell them to adopt a Code of Conduct and train all their employees on our FCPA anti-corruption training.”
With internal audit, numerous people are involved in the closing meeting, including all country management, senior officers, internal audit, and more. “There should be no surprises to country management,” Ibrahim stressed. “We try to inform them as we go along.”
Lastly, a final consolidated FCPA report is issued that is appropriate to the type of audit being conducted (i.e., internal audits vs. third-party audits). “That report doesn’t get shared with third parties,” Ibrahim explained. Instead, “we try to be as candid with them as possible.”
In comparison, internal audit reports are highly detailed. In those reports, any internal control breakdowns are noted, as well as management action plans. “We require management to respond to all the findings,” Ibrahim concluded. “We assign a responsible party, and there is to be an action plan for each finding.”