Niranjan Bopardikar, director of GRC product strategy for Greenlight Technologies, shares his answers to some top-of-mind questions regarding the Foreign Corrupt Practices Act (FCPA) in this guest Q&A.

What is the FCPA?

FCPA stands for "Foreign Corrupt Practices Act". The United States Congress passed this law in the late 1970s, which prohibits any company that is listed on any United States Stock Exchange from bribing any foreign official in order to gain or retain business. The law is fairly broad in its description and definition of bribery. It is being enforced by the Department of Justice (DOJ) and by the Securities and Exchange Commission (SEC).

For many years after the law was created, very little was done to enforce the provisions on companies or individuals. This has changed over the past several years and now the SEC and DOJ are pursuing companies vigorously by prosecuting and imposing severe fines and penalties on violators. Lately, fines ranging from several millions of dollars up to $1.6 billion have been levied against companies. The largest fine so far "" in a highly publicized case - was levied against Siemens. The SEC and DOJ are now taking FCPA compliance very seriously; their actions and judgments should not be taken lightly by senior management at publicly traded companies.

It is vital for publicly traded companies to be able to demonstrate they maintain effective internal controls to prevent FCPA violations. These controls apply to all staff, as well as management and external agents working for the company. Being able to show there are policies and procedures in place, as well as training programs and system safeguards, becomes critical for FCPA compliance. Today, many companies remain exposed to huge risks in this area.

In fact, the SEC recently had its first guilty plea for people charged as control persons for FCPA violations. Basically, a "control person" is someone who "controls" or manages someone who violates the FCPA. In effect, if your employee bribes a foreign official, then you should have known about it. This is a very important aspect of FCPA because it greatly extends the potential list of violators, and is likely to make FCPA compliance more "personal" for many companies.

What are the biggest hurdles for companies facing FCPA compliance?

I believe one of the most difficult challenges for companies is being able to identify and track FCPA activities. Often these activities will be concealed and most senior managers may not even be aware it is going on inside the company until it is too late. You also have to remember that the "bribe" may be cash as an overt attempt to gain business, but it can also be more subtle. For example, instead of cash, perhaps a gift or services or vacation, a car or boat, hiring a relative or any number of other items may be used to entice a foreign official. Giving "anything of value" can constitute bribery in terms of FCPA compliance. And to complicate matters even more, it could be conducted through an external source or an agent on behalf of the company.

It is extremely difficult -- if not impossible -- for a large enterprise to identify and prevent FCPA violations unless they employ some type of automation to filter through the mountains of data that may hide FCPA-related activities. Just imagine all the purchases and payments that a company may incur on an annual basis. Being able to filter through thousands of transactions looking for ones that may have gone to a foreign official is a huge challenge -- particularly considering the difficulty of identifying foreign officials and linking them as someone receiving a bribe.

You also need support from the top of the company down through the ranks to make sure everyone is aware of the policies and that all employees are following them properly. These procedures must be implemented companywide; each division, region and subsidiary is responsible for following the established guidelines and processes. Internal controls must be continuously tested to make sure any "red flags" are addressed and corrective actions are taken.

How can companies streamline FCPA compliance and tie it into their GRC effort?

In attempting to identify and prevent violations of FCPA, there are a number of key things that can be done, including the following:

• Automate or semi-automate internal controls as much as possible.




• Increase the frequency of the control checks.




• Link controls across different parts of the organization to get the complete picture.




• Concentrate on process improvements to avoid red flags.




• Fix responsibility at each level and follow efficient work flow to act on control violations.

Companies can also leverage technology solutions to help with FCPA compliance. CA and Greenlight Technologies have been working together to help enterprises more effectively manage FCPA compliance. Together we've been focusing on developing solutions that support the following:

• Easy to relate controls from different parts of the company which may or may not be using the same data storage architecture (e.g. SAP for finance and PeopleSoft for HR).




• Easy to track real time changes enabling you to take preventive approach.




• Efficient Work flow can be implemented to resolve control violations that should lead to process improvements as well as fixing responsibility at each level.




• Implementing technology can generate audit data that can be used in case of an FCPA inquiry. This will be helpful in reducing the liability of the company and the management.




• 
  You can read more about this topic here. We also encourage you to sign up for our upcoming webinar "Creating Sustainable SOX and FCPA Compliance Programs" taking place on October 13, 2009 at 11:00 am ET. Click here to register.
  

Given the renewed interest in FCPA compliance, enterprises should be taking a close look at their internal controls, their processes and procedures, and taking the necessary steps to meet the FCPA's requirements. The potential monetary risk is significant "" with millions, if not billions of dollars in fines "" but enterprises should also think about the risk to corporate reputation, an immeasurable but sometimes even more damaging end result of non-compliance.

==========================





Niranjan Bopardikar

Director - Product Strategy


Greenlight Technologies


Niranjan has over 10 yrs of developing software products and services in the BI and GRC space. He has worked internationally in the software development industry including the USA, Europe and India. He is currently a member of the product strategy team at Greenlight Technologies and manages product development for control automation. Niranjan holds Master's degree in Computer Science for University of Louisiana.