Law360 (October 19, 2020, 5:02 PM EDT) --
Companies often rely on third parties to fill a need, extend their reach or maintain a local salesforce. However, third parties may increase bribery and corruption risk if they are unsophisticated, do not share the company's core cultural values, or use local business practices that violate U.S. regulations.
Data privacy and state secrecy laws may also restrict remote access or sharing of financial and supporting documentation, which limits a company's ability to adequately monitor the third party's compliance with contractual, legal or ethical requirements.
Regulatory requirements, such as those contained in the Foreign Corrupt Practices Act, include third-party internal control provisions that are often cited by the U.S. Department of Justice and U.S. Securities and Exchange Commission when levying enforcement actions.
While on-site, third-party audits are typically the most effective way to address risk, assess compliance and comply with regulatory expectations, travel restrictions and cost-cutting measures have curtailed on-site visits. As a result, remote working plans should include alternative and defensible options to address third-party risks and compliance.
Sophistication and Local Regulations
When companies expand globally, they may become dependent on third parties for sales, marketing or distribution services. While these services alone pose corruption risk, it can be exacerbated when third parties are located in jurisdictions where compliance programs are the exception, technology is limited, government customers are involved, or bribery is considered a part of doing business.
Historically, on-site third-party audits in these same jurisdictions have been challenging, in part because documentation is often unorganized or nonexistent, data is not segregated by manufacturer, or record-keeping is manual or stored on archaic systems. While these limitations are typically found at smaller third parties, they also exist at larger, more sophisticated ones.
Global regulations, prosecutions and enforcement actions have all contributed to today's robust third-party audit processes. Yet, global data protection, privacy and secrecy regulations have had a direct impact on a company's ability to remotely access its third party's data and supporting documentation.
Unfortunately, some data localization laws, including the EU's General Data Protection Regulation and China's state secrecy law, have even prevented companies from conducting remote, virtual audits. As a result, limited access to data can result in additional audit challenges, inefficiencies and the inability to follow up with the third party.
Recent FCPA settlements have also put the spotlight on companies' third-party internal controls. The FCPA specifically requires that companies must "devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that unauthorized payments are not made," which applies to both the company and third parties operating on behalf of the company.
More recently, expectations have gone a step further, requiring internal controls to be in place to ensure discounts ultimately make it to the end customer.
The recent focus on discounts can be traced back to 2018, when Polycom Inc. settled with the DOJ and SEC for $35.7 million. Polycom had devised a system to establish discount approval thresholds but failed to design and maintain adequate controls to detect whether the reasons for discounts were accurate.
Also in 2018, Stryker Corp. settled with the SEC for $7.8 million to resolve issues that subdistributors "were not vetted, approved, and trained in accordance with its internal accounting controls" and that Stryker's "dealers regularly issued inflated invoices upon the request of certain private hospitals," which evidenced Stryker's failure to devise and maintain a system of internal accounting controls.
In 2019, the spotlight continued to shine on internal control issues related to discounts when Juniper settled with the SEC for $11.7 million. Juniper Networks Inc. allegedly diverted discounts into off-book funds that were used to pay for nonbusiness-related travel of government officials. In its SEC settlement, Juniper was cited for failing to implement or maintain a system of internal accounting controls to prevent off-book accounts, improper expenses and misuse of product discounts.
The trend continued in 2019 when Microsoft Corp. settled with the DOJ and SEC to the tune of $25.3 million for allegedly paying discounts above and beyond standard rates, with the inflated discounts being used to pay bribes to foreign officials. Similar to the aforementioned settlements, Microsoft was cited for insufficient controls given there was no evidence the additional discounts were passed on to the end customer.
Given the nuances of internal control violations, on-site audits, which include management discussions and document review, are often necessary to access the effectiveness of controls, assure compliance with respective contract terms, and identify improper practices.
Additionally, remote audits make it challenging to answer the following questions, which are at the root of the SEC's orders:
- How are discounts controlled, approved and distributed?
- Are off-book accounts in place to provide improper access to excess funds?
- Do discounts flow to end customers?
- Are customer invoices inflated?
- Is there full transparency or are improper payments masked as discounts?
On-Site Audit Considerations
Although the ongoing pandemic and recent social economic trends have put significant constraints of the ability to exercise audit rights, the need for face-to-face discussions and investigations has not dissipated. On-site, third-party audits must be strategically planned through risk assessments that involve both qualitative (e.g., local compliance and business feedback) and quantitative (e.g., financial metrics and perceived risk score) data.
It is imperative that companies leverage their compliance toolkits to proactively prevent, identify and remediate potential bribery and corruption issues.
Therefore, if on-site audits are not possible and remote access is limited, the following control measures should be considered:
- Updated work plans to include alternative procedures, such as data analytics;
- A clear definition of higher-risk transactions to enable targeted monitoring to identify outliers for further review;
- Frequent and topic-specific training for employees and third parties;
- Development of internal and third-party processes and controls surrounding requests for and ultimate application of discounts;
- Review and enhancement of internal and third-party approval and documentation requirements;
- Strengthened annual compliance certifications for third parties; and
- Refreshed due diligence for higher risk third parties.
Kevin Bandoian and Tricia Etzold are partners, and Andrew Coles is a director, at Resolution Economics LLC.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
For a reprint of this article, please contact firstname.lastname@example.org.