third party compliance: issues and strategies to mitigate corruption related risk

THIRD PARTY COMPLIANCE: ISSUES AND STRATEGIES TO MITIGATE CORRUPTION-RELATED RISKMATTHEW RUBLE, SENIOR MANAGERDAN REYNOLDS, MANAGERGRANT THORNTON, LLPInstitute of Internal Auditors- Philadelphia Chapter2015 Spring Conference – Internal Audit 2020APRIL 20, 2015

The Philadelphia Chapter was established in 1943, and is the 5th affiliate chapter of The Institute of Internal Auditors (IIA). The Philadelphia Chapter, its board of governors, its officers, The IIA , and today’s presenters are not responsible or liable for any acts or omissions and specifically disclaim any and all responsibility or liability for acts or omissions.

The material contained herein or communicated is for informational purposes only and should not be construed as accounting, financial, tax, or legal advice. Please seek guidance specific to your questions or concerns from qualified advisors.

All content including graphics or art work is protected by law and may not be duplicated in any form with out the express written permission from the Philadelphia Chapter.

© 2014 Philadelphia Chapter of the IIA

Disclaimer, Trademark, and Copyright NoticePhiladelphia Chapter of the IIA

IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE

AGENDA

3

• Corruption and Bribery• Foreign Corrupt Practices Act• Third Parties• Key Components of an Effective Third Party Program• Role of Internal Audit


4

CORRUPTION:• Abuse of entrusted power for private gain

BRIBE:• Something valuable (such as money) that is given in order to

get someone to do something


BRIBERY AND CORRUPTION ARE GLOBAL CHALLENGES

5Source: 2014 Corruption Perception Index

(Transparency International)


BRIBERY AND CORRUPTION ARE GLOBAL CHALLENGES

6

Source: 2013 Global Corruption Barometer

(Transparency International)


7


8


Social

EconomicPolitical

THE IMPACT OF CORRUPTION


FOREIGN CORRUPT PRACTICES ACT (FCPA)

10


Anti-Bribery Provision• Prohibit offering or promising anything of value to a

foreign government official to obtain or retain business.

Books and Records Provision• Must maintain books and records that accurately and

fairly reflect the entities transactions.• Must maintain a system of internal accounting controls.

FCPA APPLIES TO:

11


Issuers Individuals in U.S. U.S. Citizens

Entities with U.S. Presence

Traded on U.S. Exchange

BRIBERY – NOT JUST CASH…

12


…ANYTHING OF VALUE

13


FLIR SYSTEMS, INC.

14


Casablanca

Paris

Dubai

Beirut

New York City

20 Days 12 Hours

$7 Million

LARGEST FCPA ENFORCEMENT ACTIONSCOMPANY COUNTRY PENALTY

(Millions)YEAR

Siemens Germany $800 2008Alstom France $772 2014KBR/Halliburton USA $579 2009BAE UK $400 2010Total SA France $398 2013Alcoa USA $384 2014Snamprogetti Netherlands B.V/ ENI S.p.A

Netherlands/Italy

$365 2010

Technip SA France $338 2010JGC Corporation Japan $219 2011Daimler AG Germany $185 2010

15


16


Reported FCPA cases involve third parties

Companies that do not perform due diligence on their third parties

Source: 12th Global Fraud Survey - 2013

THIRD PARTY RISK

17


THIRD PARTY RISK

THIRD PARTY RISK

18


Third Party Population

Third Party Representatives

A third party is any entity or person providing goods and/or services to anorganization.

A third party representative is any entity or person that acts on behalf of an organization.

KEY COMPONENTS OF A SUCCESSFUL PROGRAM

19


20


OPERATING MODEL

COMPONENTS

CORPORATE OBJECTIVES

KEY RISK DOMAINS

THIRD PARTY RISK LIFECYCLE

Text

Text

Third Party Risk Framework

Governance Policies & standards

Business processes

Tools & technology

Risk metrics & dashboard

Risk culture

Contractual risk

Continuity of service/product risk

Financial viability risk

Transactional / Operational risk

Credit risk

Reputational risk

Legal / regulatory risk

Geo-political risk

Information security risk

Strategic risk

Planning, risk identification

Due, diligence, 3rd party selection

Contract negotiation& on boarding

Termination &off-boarding

Growth/innovation(products/services)

Improved client experience

Cost optimization

Improved time to market

Risk & compliance mgmt

On-going monitoring & mitigation

Continuous improvement

THIRD PARTY MANAGEMENT LIFECYCLE

21

• Develop and implement a new, well-governed process to manage on-boarding of third parties– Confirm to whom/where they are doing

business, and the means by which they conduct business, etc.

• Conduct due diligence on third parties to assign levels of risk which determine the level of monitoring required

• Train the workforce and third parties on the rules and risk of fraud and corruption

• Monitor and detect transactions identify and act upon potential threats

Risk Model

Certification & Training

Verification & Updates

Reporting & Analytics

Financial Controls

Transaction Monitoring

Onboarding


22

Services to be provided

Transaction Level Geographic

RiskInteractions with govt. officials

Input From Business


RISK MODEL DEVELOPMENT

High Risk

Low RiskModerate Risk

23


STRONG TONE AT THE TOP

SUPPORTING TONE

AT THE MIDDLE

PROPER STRATEGY &

GOVERNANCE

NETWORK OF SUPPPORT

UTILIZE REPORTING AND

ANALYTICS

COMPREHENSIVE TRAINING

THIRD PARTY MANAGEMENT: KEYS TO SUCCESS

• Build and drive culture of compliance

• Communicate often

• Reinforce culture set forth by leaders

• Conduct discussion-based programs

• Don’t boil the ocean – take a risk based approach

• Make training relevant

• Train third parties on what is expected of them

• Identify critical influencers across the globe

• Develop regional/location champions

• Develop robust reporting

• Dashboards by region or business

THIRD PARTY DUE DILIGENCE: MITIGATING RISKS

24


THIRD PARTY DUE DILIGENCE

25


Due Diligence Process

Third Party Recommendation

DUE DILIGENCE PROCEDURES

26


Third Party Questionnaire

Background/ Ownership

Policies

Business References

Open Source Investigations

Enforcement Action Databases

Sanctions/ Watchlists

Civil and Criminal Prosecutions

Due Diligence Reports

Negative Media (Local Language)

Political Exposure

State-Owned Entities

27

THIRD PARTY DUE DILIGENCE: MITIGATING RISK


Contract Terms

• Anti-bribery language

• Right to audit clause

Anti-Corruption/Anti-Bribery Training

• Local language

Transaction Testing

• Review internal books and records for transactions with third party

Exercising Audit Rights

• Review third party's books and records.

Review Third Party's Compliance

Program

• Code of Conduct• Policies• Training

COLLABORATION BETWEEN COMPLIANCE AND INTERNAL AUDIT

28


29


Third Party

ProgramAudit

Third Party Program can :- provide "of interest" third

parties by region/country- share investigation findings and

recommendations for "of interest" third parties

- provide a random sample third parties

Audit can:- share audit findings of third party

investigations- gather and provide contracts,

written agreements, other relevant data

- request investigations on thirdparties

COLLABORATION BETWEEN AUDIT AND COMPLIANCE

• To maintain independence, Audit should not be part of day-to-day management of the program• Audit can provide an opinion on the compliance program

THIRD PARTY AUDITS

30


Review due diligence performed by compliance

Level 1: Internal Books and Records Review

Level 2: Third Party Books and Records Review (Exercise Right to Audit Clause)

Level 3: Third Party Compliance Program Review

OUTLOOK AND RESOURCES


31

CORRUPTION OUTLOOK

32


• Prosecution of individuals (FCPA)• DOJ tripled their task force 10 to 30• Continued Industry sweeps• More countries developing similar

legislation– Brazilian clean company act January 2014

RESOURCES

33


• FCPA (legislation): http://www.justice.gov/criminal/fraud/fcpa/

• "A Resource Guide to the U.S. Foreign Corrupt Practices Act"http://www.justice.gov/criminal/fraud/fcpa/guidance/guide.pdf

• Transparency Internationalhttp://www.transparency.org/

http://www.justice.gov/criminal/fraud/fcpa/

http://www.justice.gov/criminal/fraud/fcpa/guidance/guid

http://www.transparency.org/

LET'S KEEP THE CONVERSATION GOING

34


• Matthew Ruble– [email protected]– linkedin.com/in/matthewruble

• Dan Reynolds– [email protected]– Twitter: @DanReynoldsCFE– linkedin.com/in/dreynoldscfe

mailto:[email protected]

mailto:[email protected]

third party compliance: issues and strategies to mitigate corruption related risk

Documents