The document discusses third party risk and strategies to mitigate corruption risk. It defines corruption and bribery, and outlines the Foreign Corrupt Practices Act. It then discusses how third parties present significant risk, and outlines key components of an effective third party risk management program including due diligence, ongoing monitoring, and collaboration between compliance and internal audit functions.

1. THIRD PARTY
COMPLIANCE:
ISSUES AND STRATEGIES
TO MITIGATE
CORRUPTION-RELATED
RISK
MATTHEW RUBLE, SENIOR MANAGER
DAN REYNOLDS, MANAGER
GRANT THORNTON, LLP
Institute of Internal Auditors- Philadelphia Chapter
2015 Spring Conference – Internal Audit 2020
APRIL 20, 2015

2. The Philadelphia Chapter was established in 1943, and is the 5th affiliate chapter of The Institute of Internal
Auditors (IIA). The Philadelphia Chapter, its board of governors, its officers, The IIA , and today’s presenters
are not responsible or liable for any acts or omissions and specifically disclaim any and all responsibility or
liability for acts or omissions.
The material contained herein or communicated is for informational purposes only and should not be
construed as accounting, financial, tax, or legal advice. Please seek guidance specific to your questions or
concerns from qualified advisors.
All content including graphics or art work is protected by law and may not be duplicated in any form with out
the express written permission from the Philadelphia Chapter.
© 2014 Philadelphia Chapter of the IIA
Disclaimer, Trademark, and Copyright Notice
Philadelphia Chapter of the IIA
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE

3. AGENDA
3
• Corruption and Bribery
• Foreign Corrupt Practices Act
• Third Parties
• Key Components of an Effective Third Party Program
• Role of Internal Audit
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE

4. 4
CORRUPTION:
• Abuse of entrusted power for private gain
BRIBE:
• Something valuable (such as money) that is given in order to
get someone to do something
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE

5. BRIBERY AND CORRUPTION ARE GLOBAL CHALLENGES
5
Source: 2014 Corruption Perception Index
(Transparency International)
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE

6. BRIBERY AND CORRUPTION ARE GLOBAL CHALLENGES
6
Source: 2013 Global Corruption
Barometer
(Transparency International)
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE

7. 7
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE

8. 8
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE

9. Social
EconomicPolitical
THE IMPACT OF CORRUPTION
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE

10. FOREIGN CORRUPT PRACTICES ACT
(FCPA)
10
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
Anti-Bribery Provision
• Prohibit offering or promising anything of value to a
foreign government official to obtain or retain business.
Books and Records Provision
• Must maintain books and records that accurately and
fairly reflect the entities transactions.
• Must maintain a system of internal accounting controls.

11. FCPA APPLIES TO:
11
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
Issuers
Individuals in
U.S.
U.S. Citizens
Entities with U.S.
Presence
Traded on U.S.
Exchange

12. BRIBERY – NOT JUST CASH…
12
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE

13. …ANYTHING OF VALUE
13
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE

14. FLIR SYSTEMS, INC.
14
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
Casablanca
Paris
Dubai
Beirut
New York City
20 Days 12 Hours
$7 Million

15. LARGEST FCPA ENFORCEMENT ACTIONS
COMPANY COUNTRY PENALTY
(Millions)
YEAR
Siemens Germany $800 2008
Alstom France $772 2014
KBR/Halliburton USA $579 2009
BAE UK $400 2010
Total SA France $398 2013
Alcoa USA $384 2014
Snamprogetti Netherlands
B.V/ ENI S.p.A
Netherlands
/Italy
$365 2010
Technip SA France $338 2010
JGC Corporation Japan $219 2011
Daimler AG Germany $185 2010
15
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE

16. 16
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
Reported FCPA cases involve third parties
Companies that do not perform due diligence
on their third parties
Source: 12th Global Fraud Survey - 2013
THIRD PARTY RISK

17. 17
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
THIRD PARTY RISK

18. THIRD PARTY RISK
18
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
Third Party
Population
Third Party
Representatives
A third party is any entity or person
providing goods and/or services to an
organization.
A third party representative is any
entity or person that acts on behalf of
an organization.

19. KEY COMPONENTS OF A
SUCCESSFUL PROGRAM
19
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE

20. 20
IIA PHILADELPHIA CHAPTER 20134 SPRING CONFERENCE
OPERATING
MODEL
COMPONENTS
CORPORATE
OBJECTIVES
KEY RISK
DOMAINS
THIRD PARTY RISK
LIFECYCLE
Text
Text
Third Party Risk Framework
Governance Policies &
standards
Business
processes
Tools &
technology
Risk metrics &
dashboard
Risk culture
Contractual risk
Continuity of
service/product risk
Financial viability
risk
Transactional /
Operational risk
Credit
risk
Reputational risk
Legal / regulatory
risk
Geo-political risk
Information
security risk
Strategic
risk
Planning, risk
identification
Due, diligence,
3rd party selection
Contract negotiation
& on boarding
Termination &
off-boarding
Growth/innovation
(products/services)
Improved client
experience
Cost
optimization
Improved time to
market
Risk &
compliance mgmt
On-going monitoring
& mitigation
Continuous improvement

21. THIRD PARTY MANAGEMENT LIFECYCLE
21
• Develop and implement a new, well-
governed process to manage on-boarding
of third parties
– Confirm to whom/where they are doing
business, and the means by which they
conduct business, etc.
• Conduct due diligence on third parties to
assign levels of risk which determine the
level of monitoring required
• Train the workforce and third parties on the
rules and risk of fraud and corruption
• Monitor and detect transactions identify and
act upon potential threats
Risk Model
Certification &
Training
Verification &
Updates
Reporting &
Analytics
Financial
Controls
Transaction
Monitoring
Onboarding
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE

22. 22
Services to be
provided
Transaction
Level
Geographic
Risk
Interactions
with govt.
officials
Input From
Business
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
RISK MODEL DEVELOPMENT
High Risk
Low Risk
Moderate Risk

23. 23
IIA PHILADELPHIA CHAPTER 20134 SPRING CONFERENCE
STRONG TONE
AT THE TOP
SUPPORTING
TONE
AT THE MIDDLE
PROPER
STRATEGY &
GOVERNANCE
NETWORK OF
SUPPPORT
UTILIZE
REPORTING AND
ANALYTICS
COMPREHENSIVE
TRAINING
THIRD PARTY MANAGEMENT: KEYS TO SUCCESS
• Build and drive
culture of
compliance
• Communicate
often
• Reinforce culture
set forth by
leaders
• Conduct
discussion-based
programs
• Don’t boil the
ocean – take a
risk based
approach
• Make training
relevant
• Train third parties
on what is
expected of them
• Identify critical
influencers across
the globe
• Develop
regional/location
champions
• Develop robust
reporting
• Dashboards by
region or business

24. THIRD PARTY DUE
DILIGENCE: MITIGATING
RISKS
24
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE

25. THIRD PARTY DUE DILIGENCE
25
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
Due Diligence Process
Third Party Recommendation

26. DUE DILIGENCE PROCEDURES
26
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
Third Party
Questionnaire
Background/
Ownership
Policies
Business
References
Open Source
Investigations
Enforcement
Action Databases
Sanctions/
Watchlists
Civil and Criminal
Prosecutions
Due Diligence
Reports
Negative Media
(Local Language)
Political Exposure
State-Owned
Entities

27. 27
THIRD PARTY DUE DILIGENCE: MITIGATING RISK
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
Contract Terms
• Anti-bribery
language
• Right to audit
clause
Anti-
Corruption/Anti-
Bribery Training
• Local language
Transaction Testing
• Review internal
books and records
for transactions
with third party
Exercising Audit
Rights
• Review third
party's books and
records.
Review Third
Party's Compliance
Program
• Code of Conduct
• Policies
• Training

28. COLLABORATION
BETWEEN COMPLIANCE
AND INTERNAL AUDIT
28
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE

29. 29
IIA PHILADELPHIA CHAPTER 20134 SPRING CONFERENCE
Third
Party
Program
Audit
Third Party Program can :
- provide "of interest" third
parties by region/country
- share investigation findings and
recommendations for "of
interest" third parties
- provide a random sample third
parties
Audit can:
- share audit findings of third party
investigations
- gather and provide contracts,
written agreements, other
relevant data
- request investigations on third
parties
COLLABORATION BETWEEN AUDIT AND
COMPLIANCE
• To maintain independence, Audit should not be part of day-to-day management of the program
• Audit can provide an opinion on the compliance program

30. THIRD PARTY AUDITS
30
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
Review due diligence performed by
compliance
Level 1: Internal Books and Records
Review
Level 2: Third Party Books and Records
Review (Exercise Right to Audit Clause)
Level 3: Third Party Compliance Program
Review

31. OUTLOOK AND RESOURCES
IIA PHILADELPHIA CHAPTER 20134 SPRING CONFERENCE
31

32. CORRUPTION OUTLOOK
32
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
• Prosecution of individuals (FCPA)
• DOJ tripled their task force 10 to 30
• Continued Industry sweeps
• More countries developing similar
legislation
– Brazilian clean company act January 2014

33. RESOURCES
33
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
• FCPA (legislation):
http://www.justice.gov/criminal/fraud/fcpa/
• "A Resource Guide to the U.S. Foreign Corrupt
Practices Act"
http://www.justice.gov/criminal/fraud/fcpa/guidance/guid
e.pdf
• Transparency International
http://www.transparency.org/

34. LET'S KEEP THE CONVERSATION GOING
34
IIA PHILADELPHIA CHAPTER 2015 SPRING CONFERENCE
• Matthew Ruble
– Matthew.Ruble@us.gt.com
– linkedin.com/in/matthewruble
• Dan Reynolds
– Dan.Reynolds@us.gt.com
– Twitter: @DanReynoldsCFE
– linkedin.com/in/dreynoldscfe