2016 - IQPC - The key to raising awareness and comprehension
Third Party Compliance: Issues and Strategies to Mitigate Corruption Related Risk
1. THIRD PARTY
COMPLIANCE:
ISSUES AND STRATEGIES
TO MITIGATE
CORRUPTION-RELATED
RISK
MATTHEW RUBLE, SENIOR MANAGER
DAN REYNOLDS, MANAGER
GRANT THORNTON, LLP
Institute of Internal Auditors- Philadelphia Chapter
2015 Spring Conference – Internal Audit 2020
APRIL 20, 2015
3. AGENDA
3
• Corruption and Bribery
• Foreign Corrupt Practices Act
• Third Parties
• Key Components of an Effective Third Party Program
• Role of Internal Audit
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
4. 4
CORRUPTION:
• Abuse of entrusted power for private gain
BRIBE:
• Something valuable (such as money) that is given in order to
get someone to do something
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
5. BRIBERY AND CORRUPTION ARE GLOBAL CHALLENGES
5
Source: 2014 Corruption Perception Index
(Transparency International)
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
6. BRIBERY AND CORRUPTION ARE GLOBAL CHALLENGES
6
Source: 2013 Global Corruption
Barometer
(Transparency International)
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
10. FOREIGN CORRUPT PRACTICES ACT
(FCPA)
10
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
Anti-Bribery Provision
• Prohibit offering or promising anything of value to a
foreign government official to obtain or retain business.
Books and Records Provision
• Must maintain books and records that accurately and
fairly reflect the entities transactions.
• Must maintain a system of internal accounting controls.
11. FCPA APPLIES TO:
11
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
Issuers
Individuals in
U.S.
U.S. Citizens
Entities with U.S.
Presence
Traded on U.S.
Exchange
12. BRIBERY – NOT JUST CASH…
12
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
14. FLIR SYSTEMS, INC.
14
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
Casablanca
Paris
Dubai
Beirut
New York City
20 Days 12 Hours
$7 Million
15. LARGEST FCPA ENFORCEMENT ACTIONS
COMPANY COUNTRY PENALTY
(Millions)
YEAR
Siemens Germany $800 2008
Alstom France $772 2014
KBR/Halliburton USA $579 2009
BAE UK $400 2010
Total SA France $398 2013
Alcoa USA $384 2014
Snamprogetti Netherlands
B.V/ ENI S.p.A
Netherlands
/Italy
$365 2010
Technip SA France $338 2010
JGC Corporation Japan $219 2011
Daimler AG Germany $185 2010
15
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
16. 16
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
Reported FCPA cases involve third parties
Companies that do not perform due diligence
on their third parties
Source: 12th Global Fraud Survey - 2013
THIRD PARTY RISK
18. THIRD PARTY RISK
18
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
Third Party
Population
Third Party
Representatives
A third party is any entity or person
providing goods and/or services to an
organization.
A third party representative is any
entity or person that acts on behalf of
an organization.
19. KEY COMPONENTS OF A
SUCCESSFUL PROGRAM
19
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
20. 20
IIA PHILADELPHIA CHAPTER 20134 SPRING CONFERENCE
OPERATING
MODEL
COMPONENTS
CORPORATE
OBJECTIVES
KEY RISK
DOMAINS
THIRD PARTY RISK
LIFECYCLE
Text
Text
Third Party Risk Framework
Governance Policies &
standards
Business
processes
Tools &
technology
Risk metrics &
dashboard
Risk culture
Contractual risk
Continuity of
service/product risk
Financial viability
risk
Transactional /
Operational risk
Credit
risk
Reputational risk
Legal / regulatory
risk
Geo-political risk
Information
security risk
Strategic
risk
Planning, risk
identification
Due, diligence,
3rd party selection
Contract negotiation
& on boarding
Termination &
off-boarding
Growth/innovation
(products/services)
Improved client
experience
Cost
optimization
Improved time to
market
Risk &
compliance mgmt
On-going monitoring
& mitigation
Continuous improvement
21. THIRD PARTY MANAGEMENT LIFECYCLE
21
• Develop and implement a new, well-
governed process to manage on-boarding
of third parties
– Confirm to whom/where they are doing
business, and the means by which they
conduct business, etc.
• Conduct due diligence on third parties to
assign levels of risk which determine the
level of monitoring required
• Train the workforce and third parties on the
rules and risk of fraud and corruption
• Monitor and detect transactions identify and
act upon potential threats
Risk Model
Certification &
Training
Verification &
Updates
Reporting &
Analytics
Financial
Controls
Transaction
Monitoring
Onboarding
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
23. 23
IIA PHILADELPHIA CHAPTER 20134 SPRING CONFERENCE
STRONG TONE
AT THE TOP
SUPPORTING
TONE
AT THE MIDDLE
PROPER
STRATEGY &
GOVERNANCE
NETWORK OF
SUPPPORT
UTILIZE
REPORTING AND
ANALYTICS
COMPREHENSIVE
TRAINING
THIRD PARTY MANAGEMENT: KEYS TO SUCCESS
• Build and drive
culture of
compliance
• Communicate
often
• Reinforce culture
set forth by
leaders
• Conduct
discussion-based
programs
• Don’t boil the
ocean – take a
risk based
approach
• Make training
relevant
• Train third parties
on what is
expected of them
• Identify critical
influencers across
the globe
• Develop
regional/location
champions
• Develop robust
reporting
• Dashboards by
region or business
25. THIRD PARTY DUE DILIGENCE
25
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
Due Diligence Process
Third Party Recommendation
26. DUE DILIGENCE PROCEDURES
26
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
Third Party
Questionnaire
Background/
Ownership
Policies
Business
References
Open Source
Investigations
Enforcement
Action Databases
Sanctions/
Watchlists
Civil and Criminal
Prosecutions
Due Diligence
Reports
Negative Media
(Local Language)
Political Exposure
State-Owned
Entities
27. 27
THIRD PARTY DUE DILIGENCE: MITIGATING RISK
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
Contract Terms
• Anti-bribery
language
• Right to audit
clause
Anti-
Corruption/Anti-
Bribery Training
• Local language
Transaction Testing
• Review internal
books and records
for transactions
with third party
Exercising Audit
Rights
• Review third
party's books and
records.
Review Third
Party's Compliance
Program
• Code of Conduct
• Policies
• Training
29. 29
IIA PHILADELPHIA CHAPTER 20134 SPRING CONFERENCE
Third
Party
Program
Audit
Third Party Program can :
- provide "of interest" third
parties by region/country
- share investigation findings and
recommendations for "of
interest" third parties
- provide a random sample third
parties
Audit can:
- share audit findings of third party
investigations
- gather and provide contracts,
written agreements, other
relevant data
- request investigations on third
parties
COLLABORATION BETWEEN AUDIT AND
COMPLIANCE
• To maintain independence, Audit should not be part of day-to-day management of the program
• Audit can provide an opinion on the compliance program
30. THIRD PARTY AUDITS
30
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
Review due diligence performed by
compliance
Level 1: Internal Books and Records
Review
Level 2: Third Party Books and Records
Review (Exercise Right to Audit Clause)
Level 3: Third Party Compliance Program
Review
32. CORRUPTION OUTLOOK
32
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
• Prosecution of individuals (FCPA)
• DOJ tripled their task force 10 to 30
• Continued Industry sweeps
• More countries developing similar
legislation
– Brazilian clean company act January 2014
33. RESOURCES
33
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
• FCPA (legislation):
http://www.justice.gov/criminal/fraud/fcpa/
• "A Resource Guide to the U.S. Foreign Corrupt
Practices Act"
http://www.justice.gov/criminal/fraud/fcpa/guidance/guid
e.pdf
• Transparency International
http://www.transparency.org/
34. LET'S KEEP THE CONVERSATION GOING
34
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
• Matthew Ruble
– Matthew.Ruble@us.gt.com
– linkedin.com/in/matthewruble
• Dan Reynolds
– Dan.Reynolds@us.gt.com
– Twitter: @DanReynoldsCFE
– linkedin.com/in/dreynoldscfe