Foreign Corrupt Practices Act (FCPA) Review
Introduction & Background:
The Foreign Corrupt Practices Act of 1977 (FCPA) was created in response to both global expansion and apparent corruption permeating US businesses including all entities listed on American exchanges. FCPA addresses specific elements of internal controls related to administration and management dealings. In the early 1970’s Watergate Affair investigators identified many questionable practices including bribes and other suspect dealings that were not directly addressed under the law. The SEC delivered a report in 1976 to the Senate Banking Committee regarding possible corporate payments and practices that were potentially illegal.
Federal legislation, the FCPA, was enacted the following year to address:
; Prohibitions on bribes and questionable payments
; Establishment of a system of internal accounting controls
; Development and maintenance of an accurate set of books and records
These provisions were very significant since they directly addressed illegal payments that were presumed hidden through accounting tactics. For example, companies would participate in bribes and payments and falsify records or purposely keep incomplete records. Further, the law adopted the specific wording of the AICPA’s definition of
internal controls to create a solid linkage between business practices that are often vague. For the first time, management was responsible for accounting internal controls.
“make and keep books, records and accounts, which in reasonable detail,
accurately and fairly reflect the transactions and dispositions of the assets of the
Established well before the Sarbanes-Oxley Act of 2002 (SOA), the FCPA required management to maintain a system of internal controls that provided ‘reasonable
assurances’ that transactions were authorized and in accordance with General Audit and Accounting Principles (GAAP).
The penalty for violation of FCPA bribery provisions, which applies to both listed companies and all other US entities, is up to $1M and/or 5 years imprisonment for influencing significant foreign officials to misuse position for gain. Although many organizations started to document internal controls subsequent to the law’s passage, litigation was minimal.
Internal audit should be aware of the FCPA as it is still applicable and a baseline to understanding the evolution of internal controls. Many reports and studies followed the FCPA to evaluate, define, and mediate possible mandates concerning internal controls through the 70s and 80s along with several AICPA Statements on Auditing Standards (SAS 30, 43, 48, 55, 78) and SEC commissioned studies (Cohen & Treadway Commission Reports). COSO subsequently set out to define internal control.
The following work program focuses upon the internal responsibilities of corporate compliance with the FCPA. Controls will span several internal functions and external organization’s (especially subsidiaries’) international dealings, related cash payments, vendor arrangements, and ethics programs.
This work program includes some general and specific tests that can be modified to reflect the specific plans and the special administration attributes of your organization. SEC regulated entities must ensure compliance that includes (wording directly from Act):
; Make and keep books, records, and accounts, which, in reasonable detail,
accurately and fairly reflect the transactions and dispositions of the assets of the
; Devise and maintain a system of internal accounting controls sufficient to
provide reasonable assurances that:
o Access to assets is permitted only in accordance with management’s
general or specific authorization
o Transactions are executed in accordance with management’s general of
o Transactions are recorded as necessary both to permit the preparation
of financial statements in conformity with generally accepted accounting
principles or an other criteria applicable to such statements, and also to
maintain accountability for assets
o The recorded accountability for assets is compared with the existing
assets at reasonable intervals, and appropriate action is taken with
respect to any differences
The following control areas are considerations for auditors in customizing this work program.
Administrative Controls: During the course of the audit, the auditor should gain an understanding of the company's systems for collecting and reporting time worked, processing payroll, and distributing labor charges to cost objectives.
Organizational Controls: These controls ensure that functions and activities are
established in accordance with management objectives, authority delegated to management is commensurate with their responsibility, and staffing and supervision is adequate. Effective organization controls rely upon a logical organizational structure with adequate segregation of duties.
Information System Controls: These controls assure that the accounting information system provides management with an awareness of operational efficiency and adhere to prescribed managerial policies. During the course of the audit the auditor should remain alert for weaknesses in the information systems that could lead to errors.
The audit will assess the current status of training and agreements along with a 12 month period of financial statements and petty cash disbursements. The following areas and audit steps will be included in the scope:
A. Policies and procedures
B. Foreign bank accounts and bank reconciliations
C. Distributor, agent, and rep agreements
D. Internal training
E. Payments to foreign government officials
F. Foreign financial statements
G. Petty Cash funds and disbursement
Areas of Concern:
Describe any known issues that possibly led to this audit being included in the annual audit plan along with general areas in which the entity might have unique vulnerabilities to the FCPA or where compliance might be weak or suspect.
Note: the accounting requirements of the FCPA only apply to publicly traded companies; however, the requirements reflect sound business practices that any company would need to follow in order to be successful. The bribery provisions prohibiting bribes to foreign officials apply to all US companies.
Project Team (list members):
Project Timing: Date Comments: Planning
Report Issuance (Local)
Report Issuance (Worldwide)
Unit: Unit Contact:
Initials Comments/Reference Item Work Step
Planning ~ Audit Objectives
A Evaluate the Company's policies, procedures, and
training relating to the FCPA.
B Devise and perform compliance tests to provide
reasonable assurance that the requirements of the
Act are being complied with in all material respects.
C Identify any waste or inefficiencies in the processes
for insuring compliance with the FCPA.
D Report results of testing and recommendations for
improvements in policies, controls, and processes to
help ensure compliance with the FCPA.
Audit Step Initial Comments Planning and Preparation
1. Review available subject matter resources related to
stock administration, practice guides, etc.
2. Set up binder and work paper sections
3. Develop project plan and determine scope
4. Budget the amount of hours
5. Coordinate meetings with relevant client personnel
6. Review the Audit Follow-Up File and determine if there
is any follow-up from previous audits that needs to be
done concurrently with this assignment
7. Obtain an organization chart and identify key
8. Identify key risk and control points
9. Review documents prior to beginning fieldwork.
a. Identify and review pertinent local policies and
b. Obtain copies of forms and reports used by the
function being audited.
c. Identify and review pertinent laws and regulations.
10. Conduct an entrance meeting with auditee
a. Invite the appropriate personnel to attend.
b. Discuss the audit objectives, scope, and
methodology, along with information that the
Audit Step Initial Comments
auditee will need to supply.
c. Establish a cooperative tone
11. Develop an internal control questionnaire
a. Include key control points and solicit information
regarding the functioning of those controls.
Fieldwork A. Background Processes 1. Perform a preliminary risk assessment to determine
initial sample size requirements.
2. Perform a walkthrough to evaluate key assertions. 3. Interview key personnel with the internal control
questionnaire to determine whether the system has
been implemented and is operating as designed.
B. Preliminary Evaluation -Questionnaires Note: The following questions are designed to aid the auditor in evaluating the adequacy of the internal controls.
They cannot be considered all inclusive. There may be
additional control considerations unique to each audit.
Administrative Controls 1. Has awareness training been provided to key
2. Does the policy address all the requirements of the
3. Are foreign bank statements reconciled on a monthly
basis and are any necessary adjustments in the
general ledger control accounts made?
4. Are financial records for all foreign entities kept in
accordance with GAAP?
5. Does someone in the accounting organization review
all foreign transactions and payments?
6. Do all subcontracts and purchase orders to foreign
subcontractors flow down appropriate FCPA clauses?
7. Do all consultant/contractor, representative, and agent
contracts include appropriate FCPA clauses?
8. Do key employees certify that they are in compliance
with the FCPA?
Audit Step Initial Comments
9. Is there adequate segregation of duties between the
custody of cash in foreign checking accounts and the
person who performs the bank reconciliations?
10. Is there adequate training and supervision of the
clerical people doing the foreign accounting and
reconciling the foreign bank statements so that they
would recognize non-compliance with the FCPA?
Information System Controls
11. Are data file storage procedures in place to ensure
FCPA compliance data is backed up to provide timely
access during recovery efforts?
12. Are security access controls including access rights to
critical FCPA compliance information in place to
prevent unauthorized access?
C. Controls - Training
1. Review existing Company policies and procedures in
light of the Foreign Corrupt Practices Act and evaluate
2. Review the Company's training materials for the
Foreign Corrupt Practices Act and comment on their
3. Determine if the training incorporates a discussion of
the accounting requirements of the Act and the
company's implementing policies and procedures
rather than just a discussion of the Act itself.
4. Determine whether the Company has identified the
key employees who should have FCPA training and
developed a training plan.
5. Determine whether the Company has provided FCPA
training to the key employees identified.
D. Controls – Agent & Representative Payments
1. Obtain copies of and review all foreign agent,
representative, and distributor agreements.
2. Identify all foreign agents, representatives, and
3. Verify that FCPA requirements have been included
and certification of compliance is obtained from the
agent on a periodic basis.
4. Review a sample of payments to foreign agents,
representatives, and distributors over the past 12
5. Follow up on any payments that appear questionable.
Audit Step Initial Comments E. Controls – Government Officials
1. Identify all payments made to government employees
and foreign officials over the past 12 months.
2. Follow up on any payments that appear questionable.
F. Controls - Foreign Entity Financial Stmts
1. Identify all foreign operations that are wholly owned
or majority owned.
2. Determine whether they have financial records that
comply with the FCPA accounting requirements
and appear adequate for GAAP reporting.
3. Review check registers for the past 12 months and
follow-up on any disbursements that appear out of
the ordinary or which appear to be questionable.
G. Controls - Foreign Bank Account Reconciliation
1. Identify all foreign bank accounts.
2. Review the bank reconciliations and the bank
statements for the above accounts and ensure
that they match the ledger.
3. Identify all foreign petty cash accounts.
4. Review the past 12 months of disbursements
and follow up on any disbursements that appear
Summary of Issues Identified 1. Based on the initial assessment and subsequent
detailed testing, modify the current administrative
procedures to correct future administrative issues.
2. Discuss any exceptions or control issues with area
management immediately to clarify, subsequently
confirm, and develop recommendations for
improvement. Review with audit management.
Report Drafting and Issuance
1. Review findings/test results and set up file.
a. Manager should review preliminary
recommendations and related
2. Draft report of findings and recommendations.
3. Closing Meeting and Delivery of Report.
a. Present report to client and/or legal counsel.
b. Discuss findings and recommendations for
c. Also offer solutions to provide efficiencies and
prevent recurrence of errors.
4. Identify Solutions and Develop Processes.
a. Team with client to identify practical solutions to
Audit Step Initial Comments b. Assist in developing processes and procedures to
facilitate plan administration.